@sitecore-content-sdk/core 0.2.0-beta.13 → 0.2.0-beta.14

package/dist/cjs/constants.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_SITECORE_AUTH_AUDIENCE = exports.DEFAULT_SITECORE_AUTH_ENDPOINT = exports.HIDDEN_RENDERING_NAME = exports.SITECORE_EDGE_URL_DEFAULT = exports.siteNameError = exports.SitecoreTemplateId = void 0;
+exports.DEFAULT_SITECORE_AUTH_BASE_URL = exports.DEFAULT_SITECORE_AUTH_AUDIENCE = exports.DEFAULT_SITECORE_AUTH_DOMAIN = exports.HIDDEN_RENDERING_NAME = exports.SITECORE_EDGE_URL_DEFAULT = exports.siteNameError = exports.SitecoreTemplateId = void 0;
 var SitecoreTemplateId;
 (function (SitecoreTemplateId) {
     // /sitecore/templates/Foundation/JavaScript Services/App
@@ -11,5 +11,6 @@ var SitecoreTemplateId;
 exports.siteNameError = 'The siteName cannot be empty';
 exports.SITECORE_EDGE_URL_DEFAULT = 'https://edge-platform.sitecorecloud.io';
 exports.HIDDEN_RENDERING_NAME = 'Hidden Rendering';
-exports.DEFAULT_SITECORE_AUTH_ENDPOINT = 'https://auth.sitecorecloud.io/oauth/token';
+exports.DEFAULT_SITECORE_AUTH_DOMAIN = 'https://auth.sitecorecloud.io';
 exports.DEFAULT_SITECORE_AUTH_AUDIENCE = 'https://api.sitecorecloud.io';
+exports.DEFAULT_SITECORE_AUTH_BASE_URL = 'https://edge-platform.sitecorecloud.io/cs/api';

package/dist/cjs/tools/auth/flow.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.clientCredentialsFlow = void 0;
+const tenant_store_1 = require("./tenant-store");
+const constants_1 = require("../../constants");
+const GRANT_TYPE = 'client_credentials';
+/**
+ * Performs the OAuth 2.0 client credentials flow to obtain a JWT access token
+ * from the Sitecore Identity Provider using the provided client credentials.
+ * @param {object} [args] - The arguments for client credentials flow
+ * @param {string} [args.clientId] - The client ID registered with Sitecore Identity
+ * @param {string} [args.clientSecret] - The client secret associated with the client ID
+ * @param {string} [args.organizationId] - The ID of the organization the client belongs to
+ * @param {string} [args.tenantId] - The tenant ID representing the specific Sitecore environment
+ * @param {string} [args.audience] - The API audience the token is intended for. Defaults to `constants.DEFAULT_SITECORE_AUTH_AUDIENCE`
+ * @param {string} [args.authority] - The auth server base URL. Defaults to `constants.DEFAULT_SITECORE_AUTH_DOMAIN`
+ * @param {string} [args.baseUrl] - The base URL for the API, used to construct the audience. Defaults to `constants.DEFAULT_SITECORE_AUTH_BASE_URL`
+ * @returns A Promise that resolves to the access token response (including access token, token type, expiry, etc.)
+ * @throws Will log and exit the process if the request fails or returns a non-OK status
+ */
+exports.clientCredentialsFlow = _clientCredentialsFlow;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set clientCredentialsFlow(mockImplementation) {
+        exports.clientCredentialsFlow = mockImplementation;
+    },
+    get clientCredentialsFlow() {
+        return _clientCredentialsFlow;
+    },
+};
+async function _clientCredentialsFlow({ clientId, clientSecret, organizationId, tenantId, audience = constants_1.DEFAULT_SITECORE_AUTH_AUDIENCE, authority = constants_1.DEFAULT_SITECORE_AUTH_DOMAIN, baseUrl = constants_1.DEFAULT_SITECORE_AUTH_BASE_URL, }) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret !== null && clientSecret !== void 0 ? clientSecret : '',
+        organization_id: organizationId !== null && organizationId !== void 0 ? organizationId : '',
+        tenant_id: tenantId !== null && tenantId !== void 0 ? tenantId : '',
+        audience,
+        grant_type: GRANT_TYPE,
+        baseUrl: baseUrl !== null && baseUrl !== void 0 ? baseUrl : '',
+    });
+    try {
+        const response = await fetch(`${authority}/oauth/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        const data = await response.json();
+        if (!response.ok) {
+            throw new Error(data.error_description || data.error || 'Error during client credentials flow');
+        }
+        const decodedPayload = (0, tenant_store_1.decodeJwtPayload)(data.access_token) || {};
+        if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
+            throw new Error('\n Token is missing required claims tenant_id or org_id.');
+        }
+        const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
+        if (tenantId && tenantId !== tokenTenantId) {
+            throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
+        }
+        if (organizationId && organizationId !== tokenOrgId) {
+            throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
+        }
+        return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
+    }
+    catch (error) {
+        console.error('\n Error during client credentials flow:', error instanceof Error ? error.message : error);
+        throw error;
+    }
+}

package/dist/cjs/tools/auth/index.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeTenantInfo = exports.getAllTenantsInfo = exports.readTenantInfo = exports.deleteTenantAuthInfo = exports.readTenantAuthInfo = exports.writeTenantAuthInfo = exports.clearActiveTenant = exports.setActiveTenant = exports.getActiveTenant = exports.validateAuthInfo = exports.renewAuthIfExpired = exports.renewClientToken = exports.clientCredentialsFlow = void 0;
+var flow_1 = require("./flow");
+Object.defineProperty(exports, "clientCredentialsFlow", { enumerable: true, get: function () { return flow_1.clientCredentialsFlow; } });
+var renewal_1 = require("./renewal");
+Object.defineProperty(exports, "renewClientToken", { enumerable: true, get: function () { return renewal_1.renewClientToken; } });
+Object.defineProperty(exports, "renewAuthIfExpired", { enumerable: true, get: function () { return renewal_1.renewAuthIfExpired; } });
+Object.defineProperty(exports, "validateAuthInfo", { enumerable: true, get: function () { return renewal_1.validateAuthInfo; } });
+var tenant_state_1 = require("./tenant-state");
+Object.defineProperty(exports, "getActiveTenant", { enumerable: true, get: function () { return tenant_state_1.getActiveTenant; } });
+Object.defineProperty(exports, "setActiveTenant", { enumerable: true, get: function () { return tenant_state_1.setActiveTenant; } });
+Object.defineProperty(exports, "clearActiveTenant", { enumerable: true, get: function () { return tenant_state_1.clearActiveTenant; } });
+var tenant_store_1 = require("./tenant-store");
+Object.defineProperty(exports, "writeTenantAuthInfo", { enumerable: true, get: function () { return tenant_store_1.writeTenantAuthInfo; } });
+Object.defineProperty(exports, "readTenantAuthInfo", { enumerable: true, get: function () { return tenant_store_1.readTenantAuthInfo; } });
+Object.defineProperty(exports, "deleteTenantAuthInfo", { enumerable: true, get: function () { return tenant_store_1.deleteTenantAuthInfo; } });
+Object.defineProperty(exports, "readTenantInfo", { enumerable: true, get: function () { return tenant_store_1.readTenantInfo; } });
+Object.defineProperty(exports, "getAllTenantsInfo", { enumerable: true, get: function () { return tenant_store_1.getAllTenantsInfo; } });
+Object.defineProperty(exports, "writeTenantInfo", { enumerable: true, get: function () { return tenant_store_1.writeTenantInfo; } });

package/dist/cjs/tools/auth/models.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/tools/auth/renewal.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateAuthInfo = validateAuthInfo;
+exports.renewClientToken = renewClientToken;
+exports.renewAuthIfExpired = renewAuthIfExpired;
+const tenant_state_1 = require("./tenant-state");
+const flow_1 = require("./flow");
+const tenant_store_1 = require("./tenant-store");
+/**
+ * Validates whether a given auth config is still valid (i.e., not expired).
+ * @param {TenantAuth} authInfo - The tenant auth configuration.
+ * @returns True if the token is still valid, false if expired.
+ */
+function validateAuthInfo(authInfo) {
+    const now = new Date();
+    const expiry = new Date(authInfo.expires_at);
+    return now < expiry;
+}
+/**
+ * Renews the token for a given tenant using stored credentials.
+ * @param {TenantAuth} authInfo - Current authentication info for the tenant.
+ * @param {TenantInfo} tenantInfo - Public metadata about the tenant (e.g., clientId).
+ * @returns Promise<void>
+ * @throws If credentials are missing or renewal fails.
+ */
+async function renewClientToken(authInfo, tenantInfo) {
+    const result = await (0, flow_1.clientCredentialsFlow)({
+        clientId: tenantInfo.clientId,
+        clientSecret: authInfo.clientSecret,
+        organizationId: tenantInfo.organizationId,
+        tenantId: tenantInfo.tenantId,
+        audience: tenantInfo.audience,
+        authority: tenantInfo.authority,
+        baseUrl: tenantInfo.baseUrl,
+    });
+    const tenantId = tenantInfo.tenantId;
+    await (0, tenant_store_1.writeTenantAuthInfo)(tenantId, {
+        clientSecret: authInfo.clientSecret,
+        access_token: result.data.access_token,
+        expires_in: result.data.expires_in,
+        expires_at: new Date(Date.now() + result.data.expires_in * 1000).toISOString(),
+    });
+    console.info(`\n Token for tenant ${tenantId} renewed.`);
+}
+/**
+ * Ensures a valid token exists, renews it if expired.
+ * Returns tenant context if successful, otherwise null.
+ */
+async function renewAuthIfExpired() {
+    const tenantId = (0, tenant_state_1.getActiveTenant)();
+    if (!tenantId)
+        return null;
+    const authInfo = await (0, tenant_store_1.readTenantAuthInfo)(tenantId);
+    if (!authInfo)
+        return null;
+    const isValid = validateAuthInfo(authInfo);
+    if (isValid) {
+        return { tenantId };
+    }
+    const tenantInfo = await (0, tenant_store_1.readTenantInfo)(tenantId);
+    if (!tenantInfo)
+        return null;
+    console.info(`\n Token for tenant ${tenantId} is expired. Renewing...`);
+    try {
+        if (authInfo.clientSecret) {
+            await renewClientToken(authInfo, tenantInfo);
+        }
+        else {
+            // <TODO>: Implement Device auth token renewal.
+            throw new Error('\n Please use clientSecret for authentication.');
+        }
+        return { tenantId };
+    }
+    catch (err) {
+        console.error(`\n Failed to renew token for tenant '${tenantId}'`);
+        console.warn(`\n Cleaning up stale authentication data for tenant '${tenantId}'...`);
+        await (0, tenant_store_1.deleteTenantAuthInfo)(tenantId);
+        (0, tenant_state_1.clearActiveTenant)();
+        console.info('\n You will need to login again to re-authenticate.');
+        process.exit(1);
+    }
+}

package/dist/cjs/tools/auth/tenant-state.js

@@ -0,0 +1,110 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.clearActiveTenant = exports.getActiveTenant = void 0;
+exports.setActiveTenant = setActiveTenant;
+/* eslint-disable jsdoc/require-jsdoc */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const configDir = path.join(os.homedir(), '.sitecore', 'sitecore-tools');
+const settingsFile = path.join(configDir, 'settings.json');
+/**
+ * Gets the ID of the currently active tenant from settings.json.
+ * @returns The active tenant ID if present, otherwise null.
+ */
+exports.getActiveTenant = _getActiveTenant;
+/**
+ * Clears the currently active tenant from settings.json by deleting the file.
+ */
+exports.clearActiveTenant = _clearActiveTenant;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set clearActiveTenant(mockImplementation) {
+        exports.clearActiveTenant = mockImplementation;
+    },
+    get clearActiveTenant() {
+        return _clearActiveTenant;
+    },
+    set getActiveTenant(mockImplementation) {
+        exports.getActiveTenant = mockImplementation;
+    },
+    get getActiveTenant() {
+        return _getActiveTenant;
+    },
+};
+function _getActiveTenant() {
+    var _a;
+    if (!fs.existsSync(settingsFile)) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(settingsFile, 'utf-8');
+        const data = JSON.parse(content);
+        return (_a = data.activeTenant) !== null && _a !== void 0 ? _a : null;
+    }
+    catch (error) {
+        console.error(`\n Failed to read active tenant: ${error.message}`);
+        return null;
+    }
+}
+/**
+ * Sets the currently active tenant by writing to settings.json.
+ * @param {string} tenantId - The tenant ID to set as active.
+ */
+function setActiveTenant(tenantId) {
+    try {
+        if (!fs.existsSync(configDir)) {
+            fs.mkdirSync(configDir, { recursive: true });
+        }
+        const data = { activeTenant: tenantId };
+        fs.writeFileSync(settingsFile, JSON.stringify(data, null, 2));
+    }
+    catch (error) {
+        console.error(`\n Failed to set active tenant '${tenantId}': ${error.message}`);
+    }
+}
+function _clearActiveTenant() {
+    try {
+        if (fs.existsSync(settingsFile)) {
+            fs.unlinkSync(settingsFile);
+        }
+    }
+    catch (error) {
+        console.error(`\n Failed to clear active tenant: ${error.message}`);
+    }
+}

package/dist/cjs/tools/auth/tenant-store.js

@@ -0,0 +1,243 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.getAllTenantsInfo = exports.deleteTenantAuthInfo = exports.readTenantInfo = exports.writeTenantInfo = exports.readTenantAuthInfo = exports.writeTenantAuthInfo = exports.decodeJwtPayload = void 0;
+exports.getTenantPath = getTenantPath;
+/* eslint-disable jsdoc/require-jsdoc */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const CLAIMS = 'https://auth.sitecorecloud.io/claims';
+const rootDir = path.join(os.homedir(), '.sitecore', 'sitecore-tools');
+/**
+ * Decodes a JWT without verifying its signature.
+ * @param {string} token - The access token string.
+ * @returns Decoded payload object or null if invalid.
+ */
+exports.decodeJwtPayload = _decodeJwtPayload;
+/**
+ * Write the authentication configuration for a tenant.
+ * @param {string} tenantId - The tenant ID.
+ * @param {TenantAuth} authInfo - The tenant's auth data.
+ */
+exports.writeTenantAuthInfo = _writeTenantAuthInfo;
+/**
+ * Read the authentication configuration for a tenant.
+ * @param {string} tenantId - The tenant ID.
+ * @returns Parsed auth config or null if not found or failed to read.
+ */
+exports.readTenantAuthInfo = _readTenantAuthInfo;
+/**
+ * Write the public metadata information for a tenant.
+ * @param {TenantInfo} info - The tenant info object.
+ */
+exports.writeTenantInfo = _writeTenantInfo;
+/**
+ * Read the public metadata information for a tenant.
+ * @param {string} tenantId - The tenant ID.
+ * @returns Parsed tenant info or null if not found or failed to read.
+ */
+exports.readTenantInfo = _readTenantInfo;
+/**
+ * Deletes the stored auth.json file for the given tenant.
+ * @param {string} tenantId - The tenant ID.
+ */
+exports.deleteTenantAuthInfo = _deleteTenantAuthInfo;
+/**
+ * Scans the CLI root directory and returns all valid tenant infos.
+ * @returns A list of TenantInfo objects found in {tenant-id}/info.json files.
+ */
+exports.getAllTenantsInfo = _getAllTenantsInfo;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set decodeJwtPayload(mockImplementation) {
+        exports.decodeJwtPayload = mockImplementation;
+    },
+    get decodeJwtPayload() {
+        return _decodeJwtPayload;
+    },
+    set writeTenantAuthInfo(mockImplementation) {
+        exports.writeTenantAuthInfo = mockImplementation;
+    },
+    get writeTenantAuthInfo() {
+        return _writeTenantAuthInfo;
+    },
+    set readTenantAuthInfo(mockImplementation) {
+        exports.readTenantAuthInfo = mockImplementation;
+    },
+    get readTenantAuthInfo() {
+        return _readTenantAuthInfo;
+    },
+    set writeTenantInfo(mockImplementation) {
+        exports.writeTenantInfo = mockImplementation;
+    },
+    get writeTenantInfo() {
+        return _writeTenantInfo;
+    },
+    set readTenantInfo(mockImplementation) {
+        exports.readTenantInfo = mockImplementation;
+    },
+    get readTenantInfo() {
+        return _readTenantInfo;
+    },
+    set deleteTenantAuthInfo(mockImplementation) {
+        exports.deleteTenantAuthInfo = mockImplementation;
+    },
+    get deleteTenantAuthInfo() {
+        return _deleteTenantAuthInfo;
+    },
+    set getAllTenantsInfo(mockImplementation) {
+        exports.getAllTenantsInfo = mockImplementation;
+    },
+    get getAllTenantsInfo() {
+        return _getAllTenantsInfo;
+    },
+};
+/**
+ * Get the full path to the tenant-specific folder.
+ * @param {string} tenantId - The tenant ID.
+ * @returns The absolute path to the tenant directory.
+ */
+function getTenantPath(tenantId) {
+    return path.join(rootDir, tenantId);
+}
+async function _writeTenantAuthInfo(tenantId, authInfo) {
+    try {
+        const dir = getTenantPath(tenantId);
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(path.join(dir, 'auth.json'), JSON.stringify(authInfo, null, 2));
+    }
+    catch (error) {
+        console.error(`\n Failed to write auth.json for tenant '${tenantId}': ${error.message}`);
+    }
+}
+async function _readTenantAuthInfo(tenantId) {
+    const filePath = path.join(getTenantPath(tenantId), 'auth.json');
+    if (!fs.existsSync(filePath))
+        return null;
+    try {
+        const raw = fs.readFileSync(filePath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch (error) {
+        console.error(`\n Failed to read auth.json for tenant '${tenantId}': ${error.message}`);
+        return null;
+    }
+}
+async function _writeTenantInfo(info) {
+    try {
+        const dir = getTenantPath(info.tenantId);
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(path.join(dir, 'info.json'), JSON.stringify(info, null, 2));
+    }
+    catch (error) {
+        console.error(`\n Failed to write info.json for tenant '${info.tenantId}': ${error.message}`);
+    }
+}
+async function _readTenantInfo(tenantId) {
+    const infoFilePath = path.join(getTenantPath(tenantId), 'info.json');
+    if (!fs.existsSync(infoFilePath)) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(infoFilePath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch (error) {
+        console.error(`\n Failed to read info.json for tenant '${tenantId}': ${error.message}`);
+        return null;
+    }
+}
+async function _deleteTenantAuthInfo(tenantId) {
+    const filePath = path.join(getTenantPath(tenantId), 'auth.json');
+    try {
+        if (fs.existsSync(filePath)) {
+            fs.unlinkSync(filePath);
+        }
+    }
+    catch (error) {
+        console.error(`\n Failed to delete auth.json for tenant '${tenantId}': ${error.message}`);
+    }
+}
+function _getAllTenantsInfo() {
+    if (!fs.existsSync(rootDir))
+        return [];
+    const subDirs = fs
+        .readdirSync(rootDir)
+        .filter((entry) => fs.statSync(path.join(rootDir, entry)).isDirectory());
+    const tenants = [];
+    for (const dir of subDirs) {
+        const infoPath = path.join(rootDir, dir, 'info.json');
+        if (fs.existsSync(infoPath)) {
+            try {
+                const content = fs.readFileSync(infoPath, 'utf-8');
+                const data = JSON.parse(content);
+                if (data.tenantId && data.tenantName && data.organizationId && data.clientId) {
+                    tenants.push({
+                        tenantId: data.tenantId,
+                        tenantName: data.tenantName,
+                        organizationId: data.organizationId,
+                        clientId: data.clientId,
+                        authority: data.authority,
+                        audience: data.audience,
+                        baseUrl: data.baseUrl,
+                    });
+                }
+            }
+            catch (error) {
+                console.error('\n Failed to read tenant info file', error.message);
+            }
+        }
+    }
+    return tenants;
+}
+function _decodeJwtPayload(token) {
+    try {
+        const base64Payload = token.split('.')[1];
+        const payload = Buffer.from(base64Payload, 'base64').toString('utf-8');
+        const decoded = JSON.parse(payload);
+        return {
+            tokenTenantId: decoded === null || decoded === void 0 ? void 0 : decoded[`${CLAIMS}/tenant_id`],
+            tokenOrgId: decoded === null || decoded === void 0 ? void 0 : decoded[`${CLAIMS}/org_id`],
+            tokenTenantName: decoded === null || decoded === void 0 ? void 0 : decoded[`${CLAIMS}/tenant_name`],
+        };
+    }
+    catch (error) {
+        console.error('\n Failed to decode access token:', error.message);
+        return null;
+    }
+}

package/dist/cjs/tools/index.js

@@ -10,11 +10,33 @@ var __createBinding = (this && this.__createBinding) || (Object.create ? (functi
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
 }));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fetchBearerToken = exports.scaffoldComponent = exports.generateMetadata = exports.generateSites = void 0;
+exports.auth = exports.scaffoldComponent = exports.generateMetadata = exports.generateSites = void 0;
 var generateSites_1 = require("./generateSites");
 Object.defineProperty(exports, "generateSites", { enumerable: true, get: function () { return generateSites_1.generateSites; } });
 var generateMetadata_1 = require("./generateMetadata");
@@ -22,5 +44,6 @@ Object.defineProperty(exports, "generateMetadata", { enumerable: true, get: func
 var scaffold_1 = require("./scaffold");
 Object.defineProperty(exports, "scaffoldComponent", { enumerable: true, get: function () { return scaffold_1.scaffoldComponent; } });
 __exportStar(require("./templating"), exports);
-var fetch_bearer_token_1 = require("./auth/fetch-bearer-token");
-Object.defineProperty(exports, "fetchBearerToken", { enumerable: true, get: function () { return fetch_bearer_token_1.fetchBearerToken; } });
+__exportStar(require("./auth/models"), exports);
+const auth = __importStar(require("./auth"));
+exports.auth = auth;

package/dist/esm/constants.js

@@ -8,5 +8,6 @@ export var SitecoreTemplateId;
 export const siteNameError = 'The siteName cannot be empty';
 export const SITECORE_EDGE_URL_DEFAULT = 'https://edge-platform.sitecorecloud.io';
 export const HIDDEN_RENDERING_NAME = 'Hidden Rendering';
-export const DEFAULT_SITECORE_AUTH_ENDPOINT = 'https://auth.sitecorecloud.io/oauth/token';
+export const DEFAULT_SITECORE_AUTH_DOMAIN = 'https://auth.sitecorecloud.io';
 export const DEFAULT_SITECORE_AUTH_AUDIENCE = 'https://api.sitecorecloud.io';
+export const DEFAULT_SITECORE_AUTH_BASE_URL = 'https://edge-platform.sitecorecloud.io/cs/api';

package/dist/esm/tools/auth/flow.js

@@ -0,0 +1,67 @@
+import { decodeJwtPayload } from './tenant-store';
+import { DEFAULT_SITECORE_AUTH_DOMAIN, DEFAULT_SITECORE_AUTH_AUDIENCE, DEFAULT_SITECORE_AUTH_BASE_URL, } from '../../constants';
+const GRANT_TYPE = 'client_credentials';
+/**
+ * Performs the OAuth 2.0 client credentials flow to obtain a JWT access token
+ * from the Sitecore Identity Provider using the provided client credentials.
+ * @param {object} [args] - The arguments for client credentials flow
+ * @param {string} [args.clientId] - The client ID registered with Sitecore Identity
+ * @param {string} [args.clientSecret] - The client secret associated with the client ID
+ * @param {string} [args.organizationId] - The ID of the organization the client belongs to
+ * @param {string} [args.tenantId] - The tenant ID representing the specific Sitecore environment
+ * @param {string} [args.audience] - The API audience the token is intended for. Defaults to `constants.DEFAULT_SITECORE_AUTH_AUDIENCE`
+ * @param {string} [args.authority] - The auth server base URL. Defaults to `constants.DEFAULT_SITECORE_AUTH_DOMAIN`
+ * @param {string} [args.baseUrl] - The base URL for the API, used to construct the audience. Defaults to `constants.DEFAULT_SITECORE_AUTH_BASE_URL`
+ * @returns A Promise that resolves to the access token response (including access token, token type, expiry, etc.)
+ * @throws Will log and exit the process if the request fails or returns a non-OK status
+ */
+export let clientCredentialsFlow = _clientCredentialsFlow;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+export const unitMocks = {
+    set clientCredentialsFlow(mockImplementation) {
+        clientCredentialsFlow = mockImplementation;
+    },
+    get clientCredentialsFlow() {
+        return _clientCredentialsFlow;
+    },
+};
+async function _clientCredentialsFlow({ clientId, clientSecret, organizationId, tenantId, audience = DEFAULT_SITECORE_AUTH_AUDIENCE, authority = DEFAULT_SITECORE_AUTH_DOMAIN, baseUrl = DEFAULT_SITECORE_AUTH_BASE_URL, }) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret !== null && clientSecret !== void 0 ? clientSecret : '',
+        organization_id: organizationId !== null && organizationId !== void 0 ? organizationId : '',
+        tenant_id: tenantId !== null && tenantId !== void 0 ? tenantId : '',
+        audience,
+        grant_type: GRANT_TYPE,
+        baseUrl: baseUrl !== null && baseUrl !== void 0 ? baseUrl : '',
+    });
+    try {
+        const response = await fetch(`${authority}/oauth/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        const data = await response.json();
+        if (!response.ok) {
+            throw new Error(data.error_description || data.error || 'Error during client credentials flow');
+        }
+        const decodedPayload = decodeJwtPayload(data.access_token) || {};
+        if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
+            throw new Error('\n Token is missing required claims tenant_id or org_id.');
+        }
+        const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
+        if (tenantId && tenantId !== tokenTenantId) {
+            throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
+        }
+        if (organizationId && organizationId !== tokenOrgId) {
+            throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
+        }
+        return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
+    }
+    catch (error) {
+        console.error('\n Error during client credentials flow:', error instanceof Error ? error.message : error);
+        throw error;
+    }
+}