@salesforce/lds-runtime-aura 1.404.0-dev1 → 1.405.0

package/dist/ldsEngineCreator.js

@@ -2666,7 +2666,7 @@ function buildServiceDescriptor$d(luvio) {
         },
     };
 }
-// version: 1.404.0-dev1-9582436c8f
+// version: 1.405.0-13ac2fd8fa
 
 /*!
  * Copyright (c) 2022, Salesforce, Inc.,
@@ -3004,7 +3004,7 @@ function buildServiceDescriptor$9(notifyRecordUpdateAvailable, getNormalizedLuvi
         },
     };
 }
-// version: 1.404.0-dev1-9582436c8f
+// version: 1.405.0-13ac2fd8fa
 
 /*!
  * Copyright (c) 2022, Salesforce, Inc.,
@@ -4707,7 +4707,7 @@ function getEnvironmentSetting(name) {
     }
     return undefined;
 }
-// version: 1.404.0-dev1-9582436c8f
+// version: 1.405.0-13ac2fd8fa
 
 /**
  * Observability / Critical Availability Program (230+)
@@ -5715,6 +5715,202 @@ function buildLexRuntimeLuvio5xxStatusResponseInterceptor() {
     };
 }
 
+const CSRF_TOKEN_KEY = 'salesforce_csrf_token';
+const CSRF_STORAGE_NAME = 'ldsCSRFToken';
+const BASE_URI = '/services/data/v66.0';
+const UI_API_BASE_URI = `${BASE_URI}/ui-api`;
+const CSRF_TOKEN_ENDPOINT = `${UI_API_BASE_URI}/session/csrf`;
+const CSRF_STORAGE_CONFIG = {
+    name: CSRF_STORAGE_NAME,
+    persistent: true,
+    secure: true,
+    maxSize: 1024,
+    expiration: 24 * 60 * 60,
+    clearOnInit: false,
+    debugLogging: false,
+};
+/**
+ * Manages CSRF token fetching and caching for secure requests.
+ * Implements a singleton pattern to ensure consistent token management across the application.
+ */
+class CsrfTokenManager {
+    constructor() {
+        this.tokenPromise = null;
+        // Initialize AuraStorage
+        this.storage = createStorage(CSRF_STORAGE_CONFIG);
+    }
+    static getInstance() {
+        if (!CsrfTokenManager.instance) {
+            CsrfTokenManager.instance = new CsrfTokenManager();
+        }
+        return CsrfTokenManager.instance;
+    }
+    /**
+     * Obtain a CSRF token, either from AuraStorage or by fetching a fresh one.
+     *
+     * @private
+     */
+    async loadOrFetchToken() {
+        // First try to get token from AuraStorage
+        if (this.storage) {
+            try {
+                const cachedToken = await this.storage.get(CSRF_TOKEN_KEY);
+                if (typeof cachedToken === 'string' && cachedToken) {
+                    return cachedToken;
+                }
+            }
+            catch {
+                // If storage read fails, continue to fetch
+            }
+        }
+        // No cached token, fetch from server
+        return this.fetchFreshToken();
+    }
+    /**
+     * Call API endpoint to acquire a CSRF token and cache it.
+     *
+     * @private
+     */
+    async fetchFreshToken() {
+        try {
+            const response = await fetch(CSRF_TOKEN_ENDPOINT, {
+                method: 'GET',
+                credentials: 'same-origin',
+            });
+            if (!response.ok) {
+                return undefined;
+            }
+            const data = await response.json();
+            const token = data.csrfToken;
+            if (token && this.storage) {
+                // Cache the token in AuraStorage
+                try {
+                    await this.storage.set(CSRF_TOKEN_KEY, token);
+                }
+                catch {
+                    // Non-fatal: token is still available even if caching fails
+                }
+            }
+            return token;
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Returns the current token value as a Promise.
+     * Lazy-loads the token on first call (from cache or by fetching).
+     */
+    async getToken() {
+        // Lazy initialization: only fetch token when actually needed
+        if (!this.tokenPromise) {
+            this.tokenPromise = this.loadOrFetchToken();
+        }
+        return this.tokenPromise;
+    }
+    /**
+     * Obtains and returns a new token value as a promise.
+     * This will clear the cached token and fetch a fresh one.
+     */
+    async refreshToken() {
+        // Clear cached token
+        if (this.storage) {
+            try {
+                await this.storage.remove(CSRF_TOKEN_KEY);
+            }
+            catch {
+                // Non-fatal: continue with refresh even if clear fails
+            }
+        }
+        // Fetch (and cache) fresh token
+        this.tokenPromise = this.fetchFreshToken();
+        return this.tokenPromise;
+    }
+    /**
+     * Reset the singleton instance (useful for testing).
+     * @internal
+     */
+    static resetInstance() {
+        CsrfTokenManager.instance = null;
+    }
+}
+CsrfTokenManager.instance = null;
+
+const CSRF_TOKEN_HEADER = 'X-CSRF-Token';
+/**
+ * Determines if the HTTP method requires CSRF protection.
+ * Only mutating operations (POST, PUT, PATCH, DELETE) require CSRF tokens.
+ *
+ * @param method - The HTTP method to check
+ * @returns true if the method requires CSRF protection
+ */
+function isCsrfMethod(method) {
+    if (!method) {
+        return false;
+    }
+    const normalizedMethod = method.toLowerCase();
+    return (normalizedMethod === 'post' ||
+        normalizedMethod === 'put' ||
+        normalizedMethod === 'patch' ||
+        normalizedMethod === 'delete');
+}
+/**
+ * Builds a request interceptor that adds CSRF token headers to mutating requests.
+ * The CSRF token is fetched once and cached for subsequent requests.
+ * Only POST, PUT, PATCH, and DELETE requests will have the CSRF token added.
+ *
+ * @returns A RequestInterceptor function for FetchParameters
+ */
+function buildCsrfTokenInterceptor() {
+    const csrfTokenManager = CsrfTokenManager.getInstance();
+    return async (fetchArgs) => {
+        const [urlOrRequest, options] = fetchArgs;
+        // Determine the method from either Request object or options
+        let method;
+        if (typeof urlOrRequest !== 'string' && 'method' in urlOrRequest) {
+            method = urlOrRequest.method;
+        }
+        else if (options && 'method' in options) {
+            method = options.method;
+        }
+        // Only add CSRF token for mutating operations
+        if (isCsrfMethod(method)) {
+            const token = await csrfTokenManager.getToken();
+            if (token) {
+                fetchArgs = setHeader(CSRF_TOKEN_HEADER, token, fetchArgs);
+            }
+        }
+        return resolvedPromiseLike$2(fetchArgs);
+    };
+}
+/**
+ * Builds a Luvio request interceptor that adds CSRF token headers to mutating requests.
+ * The CSRF token is fetched once and cached for subsequent requests.
+ * Only POST, PUT, PATCH, and DELETE requests will have the CSRF token added.
+ *
+ * @returns A request interceptor function for Luvio ResourceRequest objects
+ */
+function buildLuvioCsrfTokenInterceptor() {
+    const csrfTokenManager = CsrfTokenManager.getInstance();
+    return async (resourceRequest) => {
+        // Ensure headers object exists
+        if (!resourceRequest.headers) {
+            resourceRequest.headers = {};
+        }
+        // Only add CSRF token for mutating operations
+        if (isCsrfMethod(resourceRequest.method)) {
+            // Don't overwrite existing CSRF token header if it already exists
+            if (!resourceRequest.headers[CSRF_TOKEN_HEADER]) {
+                const token = await csrfTokenManager.getToken();
+                if (token) {
+                    resourceRequest.headers[CSRF_TOKEN_HEADER] = token;
+                }
+            }
+        }
+        return resolvedPromiseLike$2(resourceRequest);
+    };
+}
+
 const API_PATHS = [
     // getLookupActions
     // '/ui-api/actions/lookup/{objectApiNames}',
@@ -5776,7 +5972,7 @@ const composedFetchNetworkAdapter = {
         return API_PATH_MATCHERS.some((matcher) => matcher.test(path));
     },
     adapter: setupLexNetworkAdapter(requestTracker, requestLogger, {
-        request: [buildLuvioPageScopedCacheRequestInterceptor()],
+        request: [buildLuvioPageScopedCacheRequestInterceptor(), buildLuvioCsrfTokenInterceptor()],
         response: [
             buildLexRuntimeLuvio5xxStatusResponseInterceptor(),
             buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor(),
@@ -5855,120 +6051,6 @@ function buildTransportMarksReceiveInterceptor() {
     };
 }
 
-const CSRF_TOKEN_KEY = 'salesforce_csrf_token';
-const CSRF_STORAGE_NAME = 'ldsCSRFToken';
-const CSRF_STORAGE_CONFIG = {
-    name: CSRF_STORAGE_NAME,
-    persistent: true,
-    secure: true,
-    maxSize: 1024,
-    expiration: 24 * 60 * 60,
-    clearOnInit: false,
-    debugLogging: false,
-};
-/**
- * Manages CSRF token fetching and caching for secure requests.
- * Implements a singleton pattern to ensure consistent token management across the application.
- */
-class CsrfTokenManager {
-    constructor() {
-        // Initialize AuraStorage
-        this.storage = createStorage(CSRF_STORAGE_CONFIG);
-        // Try to load token from AuraStorage on initialization
-        this.tokenPromise = this.loadOrFetchToken();
-    }
-    static getInstance() {
-        if (!CsrfTokenManager.instance) {
-            CsrfTokenManager.instance = new CsrfTokenManager();
-        }
-        return CsrfTokenManager.instance;
-    }
-    /**
-     * Obtain a CSRF token, either from AuraStorage or by fetching a fresh one.
-     *
-     * @private
-     */
-    async loadOrFetchToken() {
-        // First try to get token from AuraStorage
-        if (this.storage) {
-            try {
-                const cachedToken = await this.storage.get(CSRF_TOKEN_KEY);
-                if (typeof cachedToken === 'string' && cachedToken) {
-                    return cachedToken;
-                }
-            }
-            catch {
-                // If storage read fails, continue to fetch
-            }
-        }
-        // No cached token, fetch from server
-        return this.fetchFreshToken();
-    }
-    /**
-     * Call API endpoint to acquire a CSRF token and cache it.
-     *
-     * @private
-     */
-    async fetchFreshToken() {
-        try {
-            const response = await fetch('/session/csrf', {
-                method: 'GET',
-                credentials: 'same-origin',
-            });
-            if (!response.ok) {
-                return undefined;
-            }
-            const data = await response.json();
-            const token = data.csrfToken;
-            if (token && this.storage) {
-                // Cache the token in AuraStorage
-                try {
-                    await this.storage.set(CSRF_TOKEN_KEY, token);
-                }
-                catch {
-                    // Non-fatal: token is still available even if caching fails
-                }
-            }
-            return token;
-        }
-        catch {
-            return undefined;
-        }
-    }
-    /**
-     * Returns the current token value as a Promise.
-     */
-    async getToken() {
-        return this.tokenPromise;
-    }
-    /**
-     * Obtains and returns a new token value as a promise.
-     * This will clear the cached token and fetch a fresh one.
-     */
-    async refreshToken() {
-        // Clear cached token
-        if (this.storage) {
-            try {
-                await this.storage.remove(CSRF_TOKEN_KEY);
-            }
-            catch {
-                // Non-fatal: continue with refresh even if clear fails
-            }
-        }
-        // Fetch (and cache) fresh token
-        this.tokenPromise = this.fetchFreshToken();
-        return this.tokenPromise;
-    }
-    /**
-     * Reset the singleton instance (useful for testing).
-     * @internal
-     */
-    static resetInstance() {
-        CsrfTokenManager.instance = null;
-    }
-}
-CsrfTokenManager.instance = null;
-
 const DEFAULT_CONFIG$1 = {
     maxRetries: 1, // Only retry once after token refresh
 };
@@ -6077,6 +6159,7 @@ function buildLexRuntimeDefaultFetchServiceDescriptor(logger, retryService) {
             buildThirdPartyTrackerRegisterInterceptor(),
             buildPageScopedCacheRequestInterceptor(),
             buildTransportMarksSendInterceptor(),
+            buildCsrfTokenInterceptor(),
         ],
         response: [
             buildLexRuntime5xxStatusResponseInterceptor(logger),
@@ -6098,6 +6181,7 @@ function buildLexRuntimeAllow5xxFetchServiceDescriptor(logger, retryService) {
             buildThirdPartyTrackerRegisterInterceptor(),
             buildPageScopedCacheRequestInterceptor(),
             buildTransportMarksSendInterceptor(),
+            buildCsrfTokenInterceptor(),
         ],
         response: [buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger)],
         finally: [
@@ -9704,4 +9788,4 @@ function ldsEngineCreator() {
 }
 
 export { LexRequestStrategy, PdlRequestPriority, buildPredictorForContext, ldsEngineCreator as default, initializeLDS, initializeOneStore, notifyUpdateAvailableFactory, registerRequestStrategy, saveRequestAsPrediction, unregisterRequestStrategy, whenPredictionsReady };
-// version: 1.404.0-dev1-48073cfce6
+// version: 1.405.0-d370cbed0f

package/dist/types/request-interceptors/csrf-manager.d.ts

@@ -22,6 +22,7 @@ declare class CsrfTokenManager {
     private fetchFreshToken;
     /**
      * Returns the current token value as a Promise.
+     * Lazy-loads the token on first call (from cache or by fetching).
      */
     getToken(): Promise<string | undefined>;
     /**

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@salesforce/lds-runtime-aura",
-    "version": "1.404.0-dev1",
+    "version": "1.405.0",
     "license": "SEE LICENSE IN LICENSE.txt",
     "description": "LDS engine for Aura runtime",
     "main": "dist/ldsEngineCreator.js",
@@ -36,14 +36,14 @@
     "devDependencies": {
         "@conduit-client/service-provisioner": "3.2.0",
         "@conduit-client/tools-core": "3.2.0",
-        "@salesforce/lds-adapters-apex": "^1.404.0-dev1",
-        "@salesforce/lds-adapters-uiapi": "^1.404.0-dev1",
-        "@salesforce/lds-ads-bridge": "^1.404.0-dev1",
-        "@salesforce/lds-aura-storage": "^1.404.0-dev1",
-        "@salesforce/lds-bindings": "^1.404.0-dev1",
-        "@salesforce/lds-instrumentation": "^1.404.0-dev1",
-        "@salesforce/lds-network-aura": "^1.404.0-dev1",
-        "@salesforce/lds-network-fetch": "^1.404.0-dev1",
+        "@salesforce/lds-adapters-apex": "^1.405.0",
+        "@salesforce/lds-adapters-uiapi": "^1.405.0",
+        "@salesforce/lds-ads-bridge": "^1.405.0",
+        "@salesforce/lds-aura-storage": "^1.405.0",
+        "@salesforce/lds-bindings": "^1.405.0",
+        "@salesforce/lds-instrumentation": "^1.405.0",
+        "@salesforce/lds-network-aura": "^1.405.0",
+        "@salesforce/lds-network-fetch": "^1.405.0",
         "jwt-encode": "1.0.1"
     },
     "dependencies": {
@@ -71,10 +71,10 @@
         "@luvio/network-adapter-composable": "0.158.7",
         "@luvio/network-adapter-fetch": "0.158.7",
         "@lwc/state": "^0.23.0",
-        "@salesforce/lds-adapters-onestore-graphql": "^1.404.0-dev1",
-        "@salesforce/lds-adapters-uiapi-lex": "^1.404.0-dev1",
-        "@salesforce/lds-luvio-service": "^1.404.0-dev1",
-        "@salesforce/lds-luvio-uiapi-records-service": "^1.404.0-dev1"
+        "@salesforce/lds-adapters-onestore-graphql": "^1.405.0",
+        "@salesforce/lds-adapters-uiapi-lex": "^1.405.0",
+        "@salesforce/lds-luvio-service": "^1.405.0",
+        "@salesforce/lds-luvio-uiapi-records-service": "^1.405.0"
     },
     "luvioBundlesize": [
         {