@salesforce/core 4.0.0 → 4.1.0

package/lib/org/authInfo.js

@@ -1,15 +1,17 @@
 "use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthInfo = exports.DEFAULT_CONNECTED_APP_INFO = void 0;
 /*
  * Copyright (c) 2020, salesforce.com, inc.
  * All rights reserved.
  * Licensed under the BSD 3-Clause license.
  * For full license text, see LICENSE.txt file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
+/* eslint-disable class-methods-use-this */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthInfo = exports.DEFAULT_CONNECTED_APP_INFO = void 0;
 const crypto_1 = require("crypto");
 const path_1 = require("path");
 const os = require("os");
+const fs = require("fs");
 const kit_1 = require("@salesforce/kit");
 const ts_types_1 = require("@salesforce/ts-types");
 const jsforce_1 = require("jsforce");
@@ -18,40 +20,15 @@ const jwt = require("jsonwebtoken");
 const config_1 = require("../config/config");
 const configAggregator_1 = require("../config/configAggregator");
 const logger_1 = require("../logger");
-const sfdxError_1 = require("../sfdxError");
-const fs_1 = require("../util/fs");
+const sfError_1 = require("../sfError");
 const sfdc_1 = require("../util/sfdc");
-const globalInfo_1 = require("../globalInfo");
+const stateAggregator_1 = require("../stateAggregator");
 const messages_1 = require("../messages");
 const sfdcUrl_1 = require("../util/sfdcUrl");
 const connection_1 = require("./connection");
 const orgConfigProperties_1 = require("./orgConfigProperties");
-messages_1.Messages.importMessagesDirectory(__dirname);
-const messages = messages_1.Messages.load('@salesforce/core', 'core', [
-    'authInfoCreationError',
-    'authInfoOverwriteError',
-    'namedOrgNotFound',
-    'orgDataNotAvailableError',
-    'orgDataNotAvailableError.actions',
-    'refreshTokenAuthError',
-    'jwtAuthError',
-    'authCodeUsernameRetrievalError',
-    'authCodeExchangeError',
-]);
-// Extend OAuth2 to add JWT Bearer Token Flow support.
-class JwtOAuth2 extends jsforce_1.OAuth2 {
-    constructor(options) {
-        super(options);
-    }
-    jwtAuthorize(innerToken) {
-        // @ts-ignore
-        return super._postParams({
-            // eslint-disable-next-line camelcase
-            grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-            assertion: innerToken,
-        });
-    }
-}
+const org_1 = require("./org");
+const messages = new messages_1.Messages('@salesforce/core', 'core', new Map([["authInfoCreationError", "Must pass a username and/or OAuth options when creating an AuthInfo instance."], ["authInfoOverwriteError", "Cannot create an AuthInfo instance that will overwrite existing auth data."], ["authInfoOverwriteError.actions", ["Create the AuthInfo instance using existing auth data by just passing the username. E.g., `AuthInfo.create({ username: 'my@user.org' });`."]], ["authCodeExchangeError", "Error authenticating with auth code due to: %s"], ["authCodeUsernameRetrievalError", "Could not retrieve the username after successful auth code exchange.\n\nDue to: %s"], ["jwtAuthError", "Error authenticating with JWT config due to: %s"], ["jwtAuthErrors", "Error authenticating with JWT.\nErrors encountered:\n%s"], ["refreshTokenAuthError", "Error authenticating with the refresh token due to: %s"], ["orgDataNotAvailableError", "An attempt to refresh the authentication token failed with a 'Data Not Found Error'. The org identified by username %s does not appear to exist. Likely cause is that the org was deleted by another user or has expired."], ["orgDataNotAvailableError.actions", ["Run `sfdx force:org:list --clean` to remove stale org authentications.", "Use `sfdx force:config:set` to update the defaultusername.", "Use `sfdx force:org:create` to create a new org.", "Use `sfdx auth` to authenticate an existing org."]], ["namedOrgNotFound", "No authorization information found for %s."], ["noAliasesFound", "Nothing to set."], ["invalidFormat", "Setting aliases must be in the format <key>=<value> but found: [%s]."], ["invalidJsonCasing", "All JSON input must have heads down camelcase keys. E.g., `{ sfdcLoginUrl: \"https://login.salesforce.com\" }`\nFound \"%s\" at %s"], ["missingClientId", "Client ID is required for JWT authentication."]]));
 // parses the id field returned from jsForce oauth2 methods to get
 // user ID and org ID.
 function parseIdUrl(idUrl) {
@@ -66,15 +43,7 @@ function parseIdUrl(idUrl) {
 }
 exports.DEFAULT_CONNECTED_APP_INFO = {
     clientId: 'PlatformCLI',
-    // Legacy. The connected app info is owned by the thing that
-    // creates new AuthInfos. Currently that is the auth:* commands which
-    // aren't owned by this core library. These values need to be here
-    // for any old auth files where the id and secret aren't stored.
-    //
-    // Ideally, this would be removed at some point in the distant future
-    // when all auth files now have the clientId stored in it.
-    legacyClientId: 'SalesforceDevelopmentExperience',
-    legacyClientSecret: '1384510088588713504',
+    clientSecret: '',
 };
 /**
  * Handles persistence and fetching of user authentication information using
@@ -121,7 +90,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         super(options);
         // Possibly overridden in create
         this.usingAccessToken = false;
-        this.options = options || {};
+        this.options = options ?? {};
     }
     /**
      * Returns the default instance url
@@ -129,8 +98,8 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @returns {string}
      */
     static getDefaultInstanceUrl() {
-        const configuredInstanceUrl = configAggregator_1.ConfigAggregator.getValue('instanceUrl').value;
-        return configuredInstanceUrl || sfdcUrl_1.SfdcUrl.PRODUCTION;
+        const configuredInstanceUrl = configAggregator_1.ConfigAggregator.getValue(orgConfigProperties_1.OrgConfigProperties.ORG_INSTANCE_URL)?.value;
+        return configuredInstanceUrl ?? sfdcUrl_1.SfdcUrl.PRODUCTION;
     }
     /**
      * Get a list of all authorizations based on auth files stored in the global directory.
@@ -142,20 +111,21 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @returns {Promise<OrgAuthorization[]>}
      */
     static async listAllAuthorizations(orgAuthFilter = (orgAuth) => !!orgAuth) {
-        var _a;
-        const globalInfo = await globalInfo_1.GlobalInfo.getInstance();
+        const stateAggregator = await stateAggregator_1.StateAggregator.getInstance();
         const config = (await configAggregator_1.ConfigAggregator.create()).getConfigInfo();
-        const orgs = Object.values(globalInfo.orgs.getAll());
+        const orgs = await stateAggregator.orgs.readAll();
         const final = [];
         for (const org of orgs) {
             const username = (0, ts_types_1.ensureString)(org.username);
-            const aliases = (_a = globalInfo.aliases.getAll(username)) !== null && _a !== void 0 ? _a : undefined;
+            const aliases = stateAggregator.aliases.getAll(username) ?? undefined;
             // Get a list of configuration values that are set to either the username or one
             // of the aliases
             const configs = config
                 .filter((c) => aliases.includes(c.value) || c.value === username)
                 .map((c) => c.key);
             try {
+                // prevent ConfigFile collision bug
+                // eslint-disable-next-line no-await-in-loop
                 const authInfo = await AuthInfo.create({ username });
                 const { orgId, instanceUrl, devHubUsername, expirationDate, isDevHub } = authInfo.getFields();
                 final.push({
@@ -164,7 +134,9 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
                     username,
                     instanceUrl,
                     isScratchOrg: Boolean(devHubUsername),
-                    isDevHub: isDevHub || false,
+                    isDevHub: isDevHub ?? false,
+                    // eslint-disable-next-line no-await-in-loop
+                    isSandbox: await stateAggregator.sandboxes.hasFile(orgId),
                     orgId: orgId,
                     accessToken: authInfo.getConnectionOptions().accessToken,
                     oauthMethod: authInfo.isJwt() ? 'jwt' : authInfo.isOauth() ? 'web' : 'token',
@@ -194,7 +166,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      */
     static async hasAuthentications() {
         try {
-            const auths = (await globalInfo_1.GlobalInfo.getInstance()).orgs.getAll();
+            const auths = await (await stateAggregator_1.StateAggregator.getInstance()).orgs.list();
             return !(0, kit_1.isEmpty)(auths);
         }
         catch (err) {
@@ -213,14 +185,14 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
     static getAuthorizationUrl(options, oauth2) {
         // Always use a verifier for enhanced security
         options.useVerifier = true;
-        const oauth2Verifier = oauth2 || new jsforce_1.OAuth2(options);
+        const oauth2Verifier = oauth2 ?? new jsforce_1.OAuth2(options);
         // The state parameter allows the redirectUri callback listener to ignore request
         // that don't contain the state value.
         const params = {
             state: (0, crypto_1.randomBytes)(Math.ceil(6)).toString('hex'),
             prompt: 'login',
             // Default connected app is 'refresh_token api web'
-            scope: options.scope || kit_1.env.getString('SFDX_AUTH_SCOPES', 'refresh_token api web'),
+            scope: options.scope ?? kit_1.env.getString('SFDX_AUTH_SCOPES', 'refresh_token api web'),
         };
         return oauth2Verifier.getAuthorizationUrl(params);
     }
@@ -236,7 +208,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
     static parseSfdxAuthUrl(sfdxAuthUrl) {
         const match = sfdxAuthUrl.match(/^force:\/\/([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]*):([a-zA-Z0-9._-]+={0,2})@([a-zA-Z0-9._-]+)/);
         if (!match) {
-            throw new sfdxError_1.SfdxError('Invalid SFDX auth URL. Must be in the format "force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>".  Note that the SFDX auth URL uses the "force" protocol, and not "http" or "https".  Also note that the "instanceUrl" inside the SFDX auth URL doesn\'t include the protocol ("https://").', 'INVALID_SFDX_AUTH_URL');
+            throw new sfError_1.SfError('Invalid SFDX auth URL. Must be in the format "force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>".  Note that the SFDX auth URL uses the "force" protocol, and not "http" or "https".  Also note that the "instanceUrl" inside the SFDX auth URL doesn\'t include the protocol ("https://").', 'INVALID_SFDX_AUTH_URL');
         }
         const [, clientId, clientSecret, refreshToken, loginUrl] = match;
         return {
@@ -246,6 +218,64 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             loginUrl: `https://${loginUrl}`,
         };
     }
+    /**
+     * Given a set of decrypted fields and an authInfo, determine if the org belongs to an available
+     * dev hub.
+     *
+     * @param fields
+     * @param orgAuthInfo
+     */
+    static async identifyPossibleScratchOrgs(fields, orgAuthInfo) {
+        // fields property is passed in because the consumers of this method have performed the decrypt.
+        // This is so we don't have to call authInfo.getFields(true) and decrypt again OR accidentally save an
+        // authInfo before it is necessary.
+        const logger = await logger_1.Logger.child('Common', { tag: 'identifyPossibleScratchOrgs' });
+        // return if we already know the hub org we know it is a devhub or prod-like or no orgId present
+        if (fields.isDevHub || fields.devHubUsername || !fields.orgId)
+            return;
+        logger.debug('getting devHubs');
+        // TODO: return if url is not sandbox-like to avoid constantly asking about production orgs
+        // TODO: someday we make this easier by asking the org if it is a scratch org
+        const hubAuthInfos = await AuthInfo.getDevHubAuthInfos();
+        logger.debug(`found ${hubAuthInfos.length} DevHubs`);
+        if (hubAuthInfos.length === 0)
+            return;
+        // ask all those orgs if they know this orgId
+        await Promise.all(hubAuthInfos.map(async (hubAuthInfo) => {
+            try {
+                const soi = await AuthInfo.queryScratchOrg(hubAuthInfo.username, fields.orgId);
+                // if any return a result
+                logger.debug(`found orgId ${fields.orgId} in devhub ${hubAuthInfo.username}`);
+                try {
+                    await orgAuthInfo.save({
+                        ...fields,
+                        devHubUsername: hubAuthInfo.username,
+                        expirationDate: soi.ExpirationDate,
+                        isScratch: true,
+                    });
+                    logger.debug(`set ${hubAuthInfo.username} as devhub and expirationDate ${soi.ExpirationDate} for scratch org ${orgAuthInfo.getUsername()}`);
+                }
+                catch (error) {
+                    logger.debug(`error updating auth file for ${orgAuthInfo.getUsername()}`, error);
+                }
+            }
+            catch (error) {
+                logger.error(`Error connecting to devhub ${hubAuthInfo.username}`, error);
+            }
+        }));
+    }
+    /**
+     * Find all dev hubs available in the local environment.
+     */
+    static async getDevHubAuthInfos() {
+        return AuthInfo.listAllAuthorizations((possibleHub) => possibleHub?.isDevHub ?? false);
+    }
+    static async queryScratchOrg(devHubUsername, scratchOrgId) {
+        const devHubOrg = await org_1.Org.create({ aliasOrUsername: devHubUsername });
+        const conn = devHubOrg.getConnection();
+        const data = await conn.singleRecordQuery(`select Id, ExpirationDate from ScratchOrgInfo where ScratchOrg = '${(0, sfdc_1.trimTo15)(scratchOrgId)}'`);
+        return data;
+    }
     /**
      * Get the username.
      */
@@ -287,11 +317,11 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
     async save(authData) {
         this.update(authData);
         const username = (0, ts_types_1.ensure)(this.getUsername());
-        if (sfdc_1.sfdc.matchesAccessToken(username)) {
+        if ((0, sfdc_1.matchesAccessToken)(username)) {
             this.logger.debug('Username is an accesstoken. Skip saving authinfo to disk.');
             return this;
         }
-        await this.globalInfo.write();
+        await this.stateAggregator.orgs.write(username);
         this.logger.info(`Saved auth info for username: ${username}`);
         return this;
     }
@@ -302,13 +332,10 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param authData Authorization fields to update.
      */
     update(authData) {
-        // todo move into configstore
         if (authData && (0, ts_types_1.isPlainObject)(authData)) {
-            this.username = authData.username || this.username;
-            const existingFields = this.globalInfo.orgs.get(this.getUsername());
-            const mergedFields = Object.assign({}, existingFields || {}, authData);
-            this.globalInfo.orgs.set(this.getUsername(), mergedFields);
-            this.logger.info(`Updated auth info for username: ${this.getUsername()}`);
+            this.username = authData.username ?? this.username;
+            this.stateAggregator.orgs.update(this.username, authData);
+            this.logger.info(`Updated auth info for username: ${this.username}`);
         }
         return this;
     }
@@ -341,7 +368,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             // Decrypt a user provided client secret or use the default.
             opts = {
                 oauth2: {
-                    loginUrl: instanceUrl || sfdcUrl_1.SfdcUrl.PRODUCTION,
+                    loginUrl: instanceUrl ?? sfdcUrl_1.SfdcUrl.PRODUCTION,
                     clientId: this.getClientId(),
                     redirectUri: this.getRedirectUri(),
                 },
@@ -354,8 +381,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         return opts;
     }
     getClientId() {
-        var _a;
-        return ((_a = this.getFields()) === null || _a === void 0 ? void 0 : _a.clientId) || exports.DEFAULT_CONNECTED_APP_INFO.legacyClientId;
+        return this.getFields()?.clientId ?? exports.DEFAULT_CONNECTED_APP_INFO.clientId;
     }
     getRedirectUri() {
         return 'http://localhost:1717/OauthRedirect';
@@ -366,7 +392,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param decrypt Decrypt the fields.
      */
     getFields(decrypt) {
-        return this.globalInfo.orgs.get(this.username, decrypt);
+        return this.stateAggregator.orgs.get(this.username, decrypt) ?? {};
     }
     /**
      * Get the org front door (used for web based oauth flows)
@@ -393,11 +419,37 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         const instanceUrl = (0, ts_types_1.ensure)(decryptedFields.instanceUrl, 'undefined instanceUrl').replace(/^https?:\/\//, '');
         let sfdxAuthUrl = 'force://';
         if (decryptedFields.clientId) {
-            sfdxAuthUrl += `${decryptedFields.clientId}:${decryptedFields.clientSecret || ''}:`;
+            sfdxAuthUrl += `${decryptedFields.clientId}:${decryptedFields.clientSecret ?? ''}:`;
         }
         sfdxAuthUrl += `${(0, ts_types_1.ensure)(decryptedFields.refreshToken, 'undefined refreshToken')}@${instanceUrl}`;
         return sfdxAuthUrl;
     }
+    /**
+     * Convenience function to handle typical side effects encountered when dealing with an AuthInfo.
+     * Given the values supplied in parameter sideEffects, this function will set auth alias, default auth
+     * and default dev hub.
+     *
+     * @param sideEffects - instance of AuthSideEffects
+     */
+    async handleAliasAndDefaultSettings(sideEffects) {
+        if (sideEffects.alias ||
+            sideEffects.setDefault ||
+            sideEffects.setDefaultDevHub ||
+            typeof sideEffects.setTracksSource === 'boolean') {
+            if (sideEffects.alias)
+                await this.setAlias(sideEffects.alias);
+            if (sideEffects.setDefault)
+                await this.setAsDefault({ org: true });
+            if (sideEffects.setDefaultDevHub)
+                await this.setAsDefault({ devHub: true });
+            if (typeof sideEffects.setTracksSource === 'boolean') {
+                await this.save({ tracksSource: sideEffects.setTracksSource });
+            }
+            else {
+                await this.save();
+            }
+        }
+    }
     /**
      * Set the target-env (default) or the target-dev-hub to the alias if
      * it exists otherwise to the username. Method will try to set the local
@@ -415,8 +467,8 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             config = await config_1.Config.create({ isGlobal: true });
         }
         const username = (0, ts_types_1.ensureString)(this.getUsername());
-        const alias = this.globalInfo.aliases.get(username);
-        const value = alias !== null && alias !== void 0 ? alias : username;
+        const alias = this.stateAggregator.aliases.get(username);
+        const value = alias ?? username;
         if (options.org) {
             config.set(orgConfigProperties_1.OrgConfigProperties.TARGET_ORG, value);
         }
@@ -431,16 +483,16 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @param alias alias to set
      */
     async setAlias(alias) {
-        this.globalInfo.aliases.set(alias, this.getUsername());
+        this.stateAggregator.aliases.set(alias, this.getUsername());
+        await this.stateAggregator.aliases.write();
     }
     /**
      * Initializes an instance of the AuthInfo class.
      */
     async init() {
-        // We have to set the global instance here because we need synchronous access to it later
-        this.globalInfo = await globalInfo_1.GlobalInfo.getInstance();
+        this.stateAggregator = await stateAggregator_1.StateAggregator.getInstance();
         const username = this.options.username;
-        const authOptions = this.options.oauth2Options || this.options.accessTokenOptions;
+        const authOptions = this.options.oauth2Options ?? this.options.accessTokenOptions;
         // Must specify either username and/or options
         if (!username && !authOptions) {
             throw messages.createError('authInfoCreationError');
@@ -448,21 +500,21 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         // If a username AND oauth options, ensure an authorization for the username doesn't
         // already exist. Throw if it does so we don't overwrite the authorization.
         if (username && authOptions) {
-            const authExists = this.globalInfo.orgs.has(username);
-            if (authExists) {
+            if (await this.stateAggregator.orgs.hasFile(username)) {
                 throw messages.createError('authInfoOverwriteError');
             }
         }
-        const oauthUsername = username || (0, ts_types_1.getString)(authOptions, 'username');
+        const oauthUsername = username ?? authOptions?.username;
         if (oauthUsername) {
             this.username = oauthUsername;
+            await this.stateAggregator.orgs.read(oauthUsername, false, false);
         } // Else it will be set in initAuthOptions below.
         // If the username is an access token, use that for auth and don't persist
-        if ((0, ts_types_1.isString)(oauthUsername) && sfdc_1.sfdc.matchesAccessToken(oauthUsername)) {
+        if ((0, ts_types_1.isString)(oauthUsername) && (0, sfdc_1.matchesAccessToken)(oauthUsername)) {
             // Need to initAuthOptions the logger and authInfoCrypto since we don't call init()
             this.logger = await logger_1.Logger.child('AuthInfo');
             const aggregator = await configAggregator_1.ConfigAggregator.create();
-            const instanceUrl = this.getInstanceUrl(authOptions, aggregator);
+            const instanceUrl = this.getInstanceUrl(aggregator, authOptions);
             this.update({
                 accessToken: oauthUsername,
                 instanceUrl,
@@ -472,16 +524,16 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             this.usingAccessToken = true;
         }
         // If a username with NO oauth options, ensure authorization already exist.
-        else if (username && !authOptions && !this.globalInfo.orgs.has(username)) {
+        else if (username && !authOptions && !(await this.stateAggregator.orgs.exists(username))) {
             throw messages.createError('namedOrgNotFound', [username]);
         }
         else {
             await this.initAuthOptions(authOptions);
         }
     }
-    getInstanceUrl(options, aggregator) {
-        const instanceUrl = (0, ts_types_1.getString)(options, 'instanceUrl') || aggregator.getPropertyValue('instanceUrl');
-        return instanceUrl || sfdcUrl_1.SfdcUrl.PRODUCTION;
+    getInstanceUrl(aggregator, options) {
+        const instanceUrl = options?.instanceUrl ?? aggregator.getPropertyValue(orgConfigProperties_1.OrgConfigProperties.ORG_INSTANCE_URL);
+        return instanceUrl ?? sfdcUrl_1.SfdcUrl.PRODUCTION;
     }
     /**
      * Initialize this AuthInfo instance with the specified options. If options are not provided, initialize it from cache
@@ -489,7 +541,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      *
      * @param options Options to be used for creating an OAuth2 instance.
      *
-     * **Throws** *{@link SfdxError}{ name: 'NamedOrgNotFoundError' }* Org information does not exist.
+     * **Throws** *{@link SfError}{ name: 'NamedOrgNotFoundError' }* Org information does not exist.
      * @returns {Promise<AuthInfo>}
      */
     async initAuthOptions(options) {
@@ -501,7 +553,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             if (this.isTokenOptions(options)) {
                 authConfig = options;
                 const userInfo = await this.retrieveUserInfo((0, ts_types_1.ensureString)(options.instanceUrl), (0, ts_types_1.ensureString)(options.accessToken));
-                this.update({ username: userInfo === null || userInfo === void 0 ? void 0 : userInfo.username, orgId: userInfo === null || userInfo === void 0 ? void 0 : userInfo.organizationId });
+                this.update({ username: userInfo?.username, orgId: userInfo?.organizationId });
             }
             else {
                 if (this.options.parentUsername) {
@@ -524,30 +576,32 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
                     options.privateKey = (0, path_1.resolve)(options.privateKeyFile);
                 }
                 if (options.privateKey) {
-                    authConfig = await this.buildJwtConfig(options);
+                    authConfig = await this.authJwt(options);
                 }
                 else if (!options.authCode && options.refreshToken) {
                     // refresh token flow (from sfdxUrl or OAuth refreshFn)
                     authConfig = await this.buildRefreshTokenConfig(options);
                 }
+                else if (this.options.oauth2 instanceof jsforce_1.OAuth2) {
+                    // authcode exchange / web auth flow
+                    authConfig = await this.exchangeToken(options, this.options.oauth2);
+                }
                 else {
-                    if (this.options.oauth2 instanceof jsforce_1.OAuth2) {
-                        // authcode exchange / web auth flow
-                        authConfig = await this.exchangeToken(options, this.options.oauth2);
-                    }
-                    else {
-                        authConfig = await this.exchangeToken(options);
-                    }
+                    authConfig = await this.exchangeToken(options);
                 }
             }
+            authConfig.isDevHub = await this.determineIfDevHub((0, ts_types_1.ensureString)(authConfig.instanceUrl), (0, ts_types_1.ensureString)(authConfig.accessToken));
+            if (authConfig.username)
+                await this.stateAggregator.orgs.read(authConfig.username, false, false);
             // Update the auth fields WITH encryption
             this.update(authConfig);
         }
         return this;
     }
+    // eslint-disable-next-line @typescript-eslint/require-await
     async loadDecryptedAuthFromConfig(username) {
         // Fetch from the persisted auth file
-        const authInfo = this.globalInfo.orgs.get(username, true);
+        const authInfo = this.stateAggregator.orgs.get(username, true);
         if (!authInfo) {
             throw messages.createError('namedOrgNotFound', [username]);
         }
@@ -565,7 +619,6 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
     // A callback function for a connection to refresh an access token.  This is used
     // both for a JWT connection and an OAuth connection.
     async refreshFn(conn, callback) {
-        var _a;
         this.logger.info('Access token has expired. Updating...');
         try {
             const fields = this.getFields(true);
@@ -575,35 +628,48 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         }
         catch (err) {
             const error = err;
-            if ((_a = error === null || error === void 0 ? void 0 : error.message) === null || _a === void 0 ? void 0 : _a.includes('Data Not Available')) {
+            if (error?.message?.includes('Data Not Available')) {
                 // Set cause to keep original stacktrace
                 return await callback(messages.createError('orgDataNotAvailableError', [this.getUsername()], [], error));
             }
             return await callback(error);
         }
     }
+    async readJwtKey(keyFile) {
+        return fs.promises.readFile(keyFile, 'utf8');
+    }
     // Build OAuth config for a JWT auth flow
-    async buildJwtConfig(options) {
-        const privateKeyContents = await fs_1.fs.readFile((0, ts_types_1.ensure)(options.privateKey), 'utf8');
+    async authJwt(options) {
+        if (!options.clientId) {
+            throw messages.createError('missingClientId');
+        }
+        const privateKeyContents = await this.readJwtKey((0, ts_types_1.ensureString)(options.privateKey));
         const { loginUrl = sfdcUrl_1.SfdcUrl.PRODUCTION } = options;
         const url = new sfdcUrl_1.SfdcUrl(loginUrl);
-        const createdOrgInstance = (0, ts_types_1.getString)(options, 'createdOrgInstance', '').trim().toLowerCase();
+        const createdOrgInstance = (this.getFields().createdOrgInstance ?? '').trim().toLowerCase();
         const audienceUrl = await url.getJwtAudienceUrl(createdOrgInstance);
-        const jwtToken = jwt.sign({
-            iss: options.clientId,
-            sub: this.getUsername(),
-            aud: audienceUrl,
-            exp: Date.now() + 300,
-        }, privateKeyContents, {
-            algorithm: 'RS256',
-        });
-        const oauth2 = new JwtOAuth2({ loginUrl: options.loginUrl });
         let authFieldsBuilder;
-        try {
-            authFieldsBuilder = (0, ts_types_1.ensureJsonMap)(await oauth2.jwtAuthorize(jwtToken));
+        const authErrors = [];
+        // given that we can no longer depend on instance names or URls to determine audience, let's try them all
+        const loginAndAudienceUrls = (0, sfdcUrl_1.getLoginAudienceCombos)(audienceUrl, loginUrl);
+        for (const [login, audience] of loginAndAudienceUrls) {
+            try {
+                // sequentially, in probabilistic order
+                // eslint-disable-next-line no-await-in-loop
+                authFieldsBuilder = await this.tryJwtAuth(options.clientId, login, audience, privateKeyContents);
+                break;
+            }
+            catch (err) {
+                const error = err;
+                const message = error.message.includes('audience')
+                    ? `${error.message}  [audience=${audience} login=${login}]`
+                    : error.message;
+                authErrors.push(message);
+            }
         }
-        catch (err) {
-            throw messages.createError('jwtAuthError', [err.message]);
+        if (!authFieldsBuilder) {
+            // messages.createError expects names to end in `error` and this one says Errors so do it manually.
+            throw new sfError_1.SfError(messages.getMessage('jwtAuthErrors', [authErrors.join('\n')]), 'JwtAuthError');
         }
         const authFields = {
             accessToken: (0, ts_types_1.asString)(authFieldsBuilder.access_token),
@@ -620,18 +686,34 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             authFields.instanceUrl = instanceUrl;
         }
         catch (err) {
-            this.logger.debug(`Instance URL [${authFieldsBuilder.instance_url}] is not available.  DNS lookup failed. Using loginUrl [${options.loginUrl}] instead. This may result in a "Destination URL not reset" error.`);
+            this.logger.debug(
+            // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+            `Instance URL [${authFieldsBuilder.instance_url}] is not available.  DNS lookup failed. Using loginUrl [${options.loginUrl}] instead. This may result in a "Destination URL not reset" error.`);
             authFields.instanceUrl = options.loginUrl;
         }
         return authFields;
     }
+    async tryJwtAuth(clientId, loginUrl, audienceUrl, privateKeyContents) {
+        const jwtToken = jwt.sign({
+            iss: clientId,
+            sub: this.getUsername(),
+            aud: audienceUrl,
+            exp: Date.now() + 300,
+        }, privateKeyContents, {
+            algorithm: 'RS256',
+        });
+        const oauth2 = new jsforce_1.JwtOAuth2({ loginUrl });
+        // jsforce has it types as any
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+        return (0, ts_types_1.ensureJsonMap)(await oauth2.jwtAuthorize(jwtToken));
+    }
     // Build OAuth config for a refresh token auth flow
     async buildRefreshTokenConfig(options) {
         // Ideally, this would be removed at some point in the distant future when all auth files
         // now have the clientId stored in it.
         if (!options.clientId) {
-            options.clientId = exports.DEFAULT_CONNECTED_APP_INFO.legacyClientId;
-            options.clientSecret = exports.DEFAULT_CONNECTED_APP_INFO.legacyClientSecret;
+            options.clientId = exports.DEFAULT_CONNECTED_APP_INFO.clientId;
+            options.clientSecret = exports.DEFAULT_CONNECTED_APP_INFO.clientSecret;
         }
         if (!options.redirectUri) {
             options.redirectUri = this.getRedirectUri();
@@ -644,22 +726,20 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         catch (err) {
             throw messages.createError('refreshTokenAuthError', [err.message]);
         }
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore
         const { orgId } = parseIdUrl(authFieldsBuilder.id);
         let username = this.getUsername();
         if (!username) {
-            // @ts-ignore
             const userInfo = await this.retrieveUserInfo(authFieldsBuilder.instance_url, authFieldsBuilder.access_token);
-            username = (0, ts_types_1.ensureString)(userInfo === null || userInfo === void 0 ? void 0 : userInfo.username);
+            username = (0, ts_types_1.ensureString)(userInfo?.username);
         }
         return {
             orgId,
             username,
             accessToken: authFieldsBuilder.access_token,
-            // @ts-ignore TODO: need better typings for jsforce
             instanceUrl: authFieldsBuilder.instance_url,
-            // @ts-ignore TODO: need better typings for jsforce
-            loginUrl: options.loginUrl || authFieldsBuilder.instance_url,
+            loginUrl: options.loginUrl ?? authFieldsBuilder.instance_url,
             refreshToken: options.refreshToken,
             clientId: options.clientId,
             clientSecret: options.clientSecret,
@@ -687,24 +767,22 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         catch (err) {
             throw messages.createError('authCodeExchangeError', [err.message]);
         }
-        // @ts-ignore TODO: need better typings for jsforce
         const { orgId } = parseIdUrl(authFields.id);
         let username = this.getUsername();
         // Only need to query for the username if it isn't known. For example, a new auth code exchange
         // rather than refreshing a token on an existing connection.
         if (!username) {
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore
             const userInfo = await this.retrieveUserInfo(authFields.instance_url, authFields.access_token);
-            username = userInfo === null || userInfo === void 0 ? void 0 : userInfo.username;
+            username = userInfo?.username;
         }
         return {
             accessToken: authFields.access_token,
-            // @ts-ignore TODO: need better typings for jsforce
             instanceUrl: authFields.instance_url,
             orgId,
             username,
-            // @ts-ignore TODO: need better typings for jsforce
-            loginUrl: options.loginUrl || authFields.instance_url,
+            loginUrl: options.loginUrl ?? authFields.instance_url,
             refreshToken: authFields.refresh_token,
             clientId: options.clientId,
             clientSecret: options.clientSecret,
@@ -717,7 +795,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
         const apiVersion = 'v51.0'; // hardcoding to v51.0 just for this call is okay.
         const instance = (0, ts_types_1.ensure)(instanceUrl);
         const baseUrl = new sfdcUrl_1.SfdcUrl(instance);
-        const userInfoUrl = `${baseUrl}services/oauth2/userinfo`;
+        const userInfoUrl = `${baseUrl.toString()}services/oauth2/userinfo`;
         const headers = Object.assign({ Authorization: `Bearer ${accessToken}` }, connection_1.SFDX_HTTP_HEADERS);
         try {
             this.logger.info(`Sending request for Username after successful auth code exchange to URL: ${userInfoUrl}`);
@@ -727,7 +805,7 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
             }
             else {
                 const userInfoJson = (0, kit_1.parseJsonMap)(response.body);
-                const url = `${baseUrl}/services/data/${apiVersion}/sobjects/User/${userInfoJson.user_id}`;
+                const url = `${baseUrl.toString()}services/data/${apiVersion}/sobjects/User/${userInfoJson.user_id}`;
                 this.logger.info(`Sending request for User SObject after successful auth code exchange to URL: ${url}`);
                 response = await new transport_1.default().httpRequest({ url, method: 'GET', headers });
                 if (response.statusCode >= 400) {
@@ -751,24 +829,47 @@ class AuthInfo extends kit_1.AsyncOptionalCreatable {
      * @private
      */
     throwUserGetException(response) {
-        var _a;
         let errorMsg = '';
-        const bodyAsString = (0, ts_types_1.getString)(response, 'body', JSON.stringify({ message: 'UNKNOWN', errorCode: 'UNKNOWN' }));
+        const bodyAsString = response.body ?? JSON.stringify({ message: 'UNKNOWN', errorCode: 'UNKNOWN' });
         try {
             const body = (0, kit_1.parseJson)(bodyAsString);
             if ((0, ts_types_1.isArray)(body)) {
-                errorMsg = body
-                    .map((line) => { var _a; return (_a = (0, ts_types_1.getString)(line, 'message')) !== null && _a !== void 0 ? _a : (0, ts_types_1.getString)(line, 'errorCode', 'UNKNOWN'); })
-                    .join(os.EOL);
+                errorMsg = body.map((line) => line.message ?? line.errorCode ?? 'UNKNOWN').join(os.EOL);
             }
             else {
-                errorMsg = (_a = (0, ts_types_1.getString)(body, 'message')) !== null && _a !== void 0 ? _a : (0, ts_types_1.getString)(body, 'errorCode', 'UNKNOWN');
+                errorMsg = body.message ?? body.errorCode ?? 'UNKNOWN';
             }
         }
         catch (err) {
             errorMsg = `${bodyAsString}`;
         }
-        throw new sfdxError_1.SfdxError(errorMsg);
+        throw new sfError_1.SfError(errorMsg);
+    }
+    /**
+     * Returns `true` if the org is a Dev Hub.
+     *
+     * Check access to the ScratchOrgInfo object to determine if the org is a dev hub.
+     */
+    async determineIfDevHub(instanceUrl, accessToken) {
+        // Make a REST call for the ScratchOrgInfo obj directly.  Normally this is done via a connection
+        // but we don't want to create circular dependencies or lots of snowflakes
+        // within this file to support it.
+        const apiVersion = 'v51.0'; // hardcoding to v51.0 just for this call is okay.
+        const instance = (0, ts_types_1.ensure)(instanceUrl);
+        const baseUrl = new sfdcUrl_1.SfdcUrl(instance);
+        const scratchOrgInfoUrl = `${baseUrl.toString()}/services/data/${apiVersion}/query?q=SELECT%20Id%20FROM%20ScratchOrgInfo%20limit%201`;
+        const headers = Object.assign({ Authorization: `Bearer ${accessToken}` }, connection_1.SFDX_HTTP_HEADERS);
+        try {
+            const res = await new transport_1.default().httpRequest({ url: scratchOrgInfoUrl, method: 'GET', headers });
+            if (res.statusCode >= 400) {
+                return false;
+            }
+            return true;
+        }
+        catch (err) {
+            /* Not a dev hub */
+            return false;
+        }
     }
 }
 exports.AuthInfo = AuthInfo;