@sitecore-content-sdk/core 0.2.0-beta.14 → 0.2.0-beta.16

package/dist/cjs/constants.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_SITECORE_AUTH_BASE_URL = exports.DEFAULT_SITECORE_AUTH_AUDIENCE = exports.DEFAULT_SITECORE_AUTH_DOMAIN = exports.HIDDEN_RENDERING_NAME = exports.SITECORE_EDGE_URL_DEFAULT = exports.siteNameError = exports.SitecoreTemplateId = void 0;
+exports.DEFAULT_SITECORE_AUTH_BASE_URL = exports.DEFAULT_SITECORE_AUTH_AUDIENCE = exports.DEFAULT_SITECORE_AUTH_DOMAIN = exports.CLAIMS = exports.HIDDEN_RENDERING_NAME = exports.SITECORE_EDGE_URL_DEFAULT = exports.siteNameError = exports.SitecoreTemplateId = void 0;
 var SitecoreTemplateId;
 (function (SitecoreTemplateId) {
     // /sitecore/templates/Foundation/JavaScript Services/App
@@ -11,6 +11,7 @@ var SitecoreTemplateId;
 exports.siteNameError = 'The siteName cannot be empty';
 exports.SITECORE_EDGE_URL_DEFAULT = 'https://edge-platform.sitecorecloud.io';
 exports.HIDDEN_RENDERING_NAME = 'Hidden Rendering';
+exports.CLAIMS = 'https://auth.sitecorecloud.io/claims';
 exports.DEFAULT_SITECORE_AUTH_DOMAIN = 'https://auth.sitecorecloud.io';
 exports.DEFAULT_SITECORE_AUTH_AUDIENCE = 'https://api.sitecorecloud.io';
 exports.DEFAULT_SITECORE_AUTH_BASE_URL = 'https://edge-platform.sitecorecloud.io/cs/api';

package/dist/cjs/tools/auth/encryption.js

@@ -0,0 +1,141 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.deleteKey = exports.decryptData = exports.encryptData = void 0;
+exports.getKey = getKey;
+/* eslint-disable jsdoc/require-jsdoc */
+const keytar_1 = __importDefault(require("keytar"));
+const crypto = __importStar(require("crypto"));
+const tenant_store_1 = require("./tenant-store");
+const tenant_state_1 = require("./tenant-state");
+const algorithm = 'aes-256-gcm';
+const SERVICE_NAME = 'sitecore-tools-cli';
+/**
+ * Encrypts plaintext using AES-256-GCM for a given tenant.
+ * @param {string} plaintext
+ * @param {string} tenantId
+ */
+exports.encryptData = _encryptData;
+/**
+ * Decrypts encrypted payload using AES-256-GCM for a specific tenant.
+ * If key is corrupted or invalid, optionally clears both key and tenant data.
+ * @param {EncryptedPayload} payload
+ * @param {string} tenantId
+ * @param {string} cleanupOnFailure
+ */
+exports.decryptData = _decryptData;
+/**
+ * Deletes the encryption key for a tenant (useful for cleanup).
+ * @param {string} tenantId
+ */
+exports.deleteKey = _deleteKey;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set encryptData(mockImplementation) {
+        exports.encryptData = mockImplementation;
+    },
+    get encryptData() {
+        return _encryptData;
+    },
+    set decryptData(mockImplementation) {
+        exports.decryptData = mockImplementation;
+    },
+    get decryptData() {
+        return _decryptData;
+    },
+    set deleteKey(mockImplementation) {
+        exports.deleteKey = mockImplementation;
+    },
+    get deleteKey() {
+        return _deleteKey;
+    },
+};
+/**
+ * Generates or retrieves a 32-byte AES key for a specific tenant.
+ * @param {string} tenantId
+ */
+async function getKey(tenantId) {
+    const account = `encryptionKey-${tenantId}`;
+    const key = await keytar_1.default.getPassword(SERVICE_NAME, account);
+    if (!key) {
+        const keyBuffer = crypto.randomBytes(32);
+        await keytar_1.default.setPassword(SERVICE_NAME, account, keyBuffer.toString('base64'));
+        return keyBuffer;
+    }
+    return Buffer.from(key, 'base64');
+}
+async function _encryptData(plaintext, tenantId) {
+    const key = await getKey(tenantId);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    const authTag = cipher.getAuthTag().toString('base64');
+    return {
+        iv: iv.toString('base64'),
+        authTag,
+        encryptedData: encrypted,
+    };
+}
+async function _decryptData(payload, tenantId, cleanupOnFailure = true) {
+    try {
+        const key = await getKey(tenantId);
+        const decipher = crypto.createDecipheriv(algorithm, key, Buffer.from(payload.iv, 'base64'));
+        decipher.setAuthTag(Buffer.from(payload.authTag, 'base64'));
+        let decrypted = decipher.update(payload.encryptedData, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (err) {
+        console.error(`\nFailed to decrypt data for tenant '${tenantId}':`, err);
+        if (cleanupOnFailure) {
+            console.warn(`\nCleaning up key and auth data for corrupted tenant '${tenantId}'...`);
+            await (0, tenant_store_1.deleteTenantAuthInfo)(tenantId);
+            await (0, exports.deleteKey)(`encryptionKey-${tenantId}`);
+            (0, tenant_state_1.clearActiveTenant)();
+            console.warn(`\nCleanup completed for tenant '${tenantId}'.`);
+            return null;
+        }
+        throw err;
+    }
+}
+async function _deleteKey(tenantId) {
+    await keytar_1.default.deletePassword(SERVICE_NAME, `encryptionKey-${tenantId}`);
+}

package/dist/cjs/tools/auth/flow.js

@@ -40,31 +40,25 @@ async function _clientCredentialsFlow({ clientId, clientSecret, organizationId,
         grant_type: GRANT_TYPE,
         baseUrl: baseUrl !== null && baseUrl !== void 0 ? baseUrl : '',
     });
-    try {
-        const response = await fetch(`${authority}/oauth/token`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-            body: params.toString(),
-        });
-        const data = await response.json();
-        if (!response.ok) {
-            throw new Error(data.error_description || data.error || 'Error during client credentials flow');
-        }
-        const decodedPayload = (0, tenant_store_1.decodeJwtPayload)(data.access_token) || {};
-        if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
-            throw new Error('\n Token is missing required claims tenant_id or org_id.');
-        }
-        const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
-        if (tenantId && tenantId !== tokenTenantId) {
-            throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
-        }
-        if (organizationId && organizationId !== tokenOrgId) {
-            throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
-        }
-        return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
+    const response = await fetch(`${authority}/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: params.toString(),
+    });
+    const data = await response.json();
+    if (!response.ok) {
+        throw new Error(data.error_description || data.error || 'Error during client credentials flow');
+    }
+    const decodedPayload = (0, tenant_store_1.decodeJwtPayload)(data.access_token) || {};
+    if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
+        throw new Error('\n Token is missing required claims tenant_id or org_id.');
+    }
+    const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
+    if (tenantId && tenantId !== tokenTenantId) {
+        throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
     }
-    catch (error) {
-        console.error('\n Error during client credentials flow:', error instanceof Error ? error.message : error);
-        throw error;
+    if (organizationId && organizationId !== tokenOrgId) {
+        throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
     }
+    return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
 }

package/dist/cjs/tools/auth/index.js

@@ -1,11 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.writeTenantInfo = exports.getAllTenantsInfo = exports.readTenantInfo = exports.deleteTenantAuthInfo = exports.readTenantAuthInfo = exports.writeTenantAuthInfo = exports.clearActiveTenant = exports.setActiveTenant = exports.getActiveTenant = exports.validateAuthInfo = exports.renewAuthIfExpired = exports.renewClientToken = exports.clientCredentialsFlow = void 0;
+exports.deleteKey = exports.decryptData = exports.encryptData = exports.writeTenantInfo = exports.getAllTenantsInfo = exports.readTenantInfo = exports.deleteTenantAuthInfo = exports.readTenantAuthInfo = exports.writeTenantAuthInfo = exports.clearActiveTenant = exports.setActiveTenant = exports.getActiveTenant = exports.validateAuthInfo = exports.validateAndRenewAuthIfExpired = exports.renewClientToken = exports.clientCredentialsFlow = void 0;
 var flow_1 = require("./flow");
 Object.defineProperty(exports, "clientCredentialsFlow", { enumerable: true, get: function () { return flow_1.clientCredentialsFlow; } });
 var renewal_1 = require("./renewal");
 Object.defineProperty(exports, "renewClientToken", { enumerable: true, get: function () { return renewal_1.renewClientToken; } });
-Object.defineProperty(exports, "renewAuthIfExpired", { enumerable: true, get: function () { return renewal_1.renewAuthIfExpired; } });
+Object.defineProperty(exports, "validateAndRenewAuthIfExpired", { enumerable: true, get: function () { return renewal_1.validateAndRenewAuthIfExpired; } });
 Object.defineProperty(exports, "validateAuthInfo", { enumerable: true, get: function () { return renewal_1.validateAuthInfo; } });
 var tenant_state_1 = require("./tenant-state");
 Object.defineProperty(exports, "getActiveTenant", { enumerable: true, get: function () { return tenant_state_1.getActiveTenant; } });
@@ -18,3 +18,7 @@ Object.defineProperty(exports, "deleteTenantAuthInfo", { enumerable: true, get:
 Object.defineProperty(exports, "readTenantInfo", { enumerable: true, get: function () { return tenant_store_1.readTenantInfo; } });
 Object.defineProperty(exports, "getAllTenantsInfo", { enumerable: true, get: function () { return tenant_store_1.getAllTenantsInfo; } });
 Object.defineProperty(exports, "writeTenantInfo", { enumerable: true, get: function () { return tenant_store_1.writeTenantInfo; } });
+var encryption_1 = require("./encryption");
+Object.defineProperty(exports, "encryptData", { enumerable: true, get: function () { return encryption_1.encryptData; } });
+Object.defineProperty(exports, "decryptData", { enumerable: true, get: function () { return encryption_1.decryptData; } });
+Object.defineProperty(exports, "deleteKey", { enumerable: true, get: function () { return encryption_1.deleteKey; } });

package/dist/cjs/tools/auth/renewal.js

@@ -2,10 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateAuthInfo = validateAuthInfo;
 exports.renewClientToken = renewClientToken;
-exports.renewAuthIfExpired = renewAuthIfExpired;
+exports.validateAndRenewAuthIfExpired = validateAndRenewAuthIfExpired;
 const tenant_state_1 = require("./tenant-state");
 const flow_1 = require("./flow");
 const tenant_store_1 = require("./tenant-store");
+const encryption_1 = require("./encryption");
 /**
  * Validates whether a given auth config is still valid (i.e., not expired).
  * @param {TenantAuth} authInfo - The tenant auth configuration.
@@ -46,7 +47,7 @@ async function renewClientToken(authInfo, tenantInfo) {
  * Ensures a valid token exists, renews it if expired.
  * Returns tenant context if successful, otherwise null.
  */
-async function renewAuthIfExpired() {
+async function validateAndRenewAuthIfExpired() {
     const tenantId = (0, tenant_state_1.getActiveTenant)();
     if (!tenantId)
         return null;
@@ -75,6 +76,7 @@ async function renewAuthIfExpired() {
         console.error(`\n Failed to renew token for tenant '${tenantId}'`);
         console.warn(`\n Cleaning up stale authentication data for tenant '${tenantId}'...`);
         await (0, tenant_store_1.deleteTenantAuthInfo)(tenantId);
+        await (0, encryption_1.deleteKey)(tenantId);
         (0, tenant_state_1.clearActiveTenant)();
         console.info('\n You will need to login again to re-authenticate.');
         process.exit(1);

package/dist/cjs/tools/auth/tenant-store.js

@@ -39,7 +39,8 @@ exports.getTenantPath = getTenantPath;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
-const CLAIMS = 'https://auth.sitecorecloud.io/claims';
+const encryption_1 = require("./encryption");
+const constants_1 = require("./../../constants");
 const rootDir = path.join(os.homedir(), '.sitecore', 'sitecore-tools');
 /**
  * Decodes a JWT without verifying its signature.
@@ -139,7 +140,8 @@ async function _writeTenantAuthInfo(tenantId, authInfo) {
     try {
         const dir = getTenantPath(tenantId);
         fs.mkdirSync(dir, { recursive: true });
-        fs.writeFileSync(path.join(dir, 'auth.json'), JSON.stringify(authInfo, null, 2));
+        const encrypted = await (0, encryption_1.encryptData)(JSON.stringify(authInfo), tenantId);
+        fs.writeFileSync(path.join(dir, 'auth.json'), JSON.stringify(encrypted));
     }
     catch (error) {
         console.error(`\n Failed to write auth.json for tenant '${tenantId}': ${error.message}`);
@@ -150,8 +152,13 @@ async function _readTenantAuthInfo(tenantId) {
     if (!fs.existsSync(filePath))
         return null;
     try {
-        const raw = fs.readFileSync(filePath, 'utf-8');
-        return JSON.parse(raw);
+        const encryptedPayloadRaw = fs.readFileSync(filePath, 'utf8');
+        const encryptedPayload = JSON.parse(encryptedPayloadRaw);
+        const decryptedData = await (0, encryption_1.decryptData)(encryptedPayload, tenantId, true);
+        if (decryptedData === null) {
+            return null;
+        }
+        return JSON.parse(decryptedData);
     }
     catch (error) {
         console.error(`\n Failed to read auth.json for tenant '${tenantId}': ${error.message}`);
@@ -231,9 +238,9 @@ function _decodeJwtPayload(token) {
         const payload = Buffer.from(base64Payload, 'base64').toString('utf-8');
         const decoded = JSON.parse(payload);
         return {
-            tokenTenantId: decoded === null || decoded === void 0 ? void 0 : decoded[`${CLAIMS}/tenant_id`],
-            tokenOrgId: decoded === null || decoded === void 0 ? void 0 : decoded[`${CLAIMS}/org_id`],
-            tokenTenantName: decoded === null || decoded === void 0 ? void 0 : decoded[`${CLAIMS}/tenant_name`],
+            tokenTenantId: decoded === null || decoded === void 0 ? void 0 : decoded[`${constants_1.CLAIMS}/tenant_id`],
+            tokenOrgId: decoded === null || decoded === void 0 ? void 0 : decoded[`${constants_1.CLAIMS}/org_id`],
+            tokenTenantName: decoded === null || decoded === void 0 ? void 0 : decoded[`${constants_1.CLAIMS}/tenant_name`],
         };
     }
     catch (error) {

package/dist/esm/constants.js

@@ -8,6 +8,7 @@ export var SitecoreTemplateId;
 export const siteNameError = 'The siteName cannot be empty';
 export const SITECORE_EDGE_URL_DEFAULT = 'https://edge-platform.sitecorecloud.io';
 export const HIDDEN_RENDERING_NAME = 'Hidden Rendering';
+export const CLAIMS = 'https://auth.sitecorecloud.io/claims';
 export const DEFAULT_SITECORE_AUTH_DOMAIN = 'https://auth.sitecorecloud.io';
 export const DEFAULT_SITECORE_AUTH_AUDIENCE = 'https://api.sitecorecloud.io';
 export const DEFAULT_SITECORE_AUTH_BASE_URL = 'https://edge-platform.sitecorecloud.io/cs/api';

package/dist/esm/tools/auth/encryption.js

@@ -0,0 +1,101 @@
+/* eslint-disable jsdoc/require-jsdoc */
+import keytar from 'keytar';
+import * as crypto from 'crypto';
+import { deleteTenantAuthInfo } from './tenant-store';
+import { clearActiveTenant } from './tenant-state';
+const algorithm = 'aes-256-gcm';
+const SERVICE_NAME = 'sitecore-tools-cli';
+/**
+ * Encrypts plaintext using AES-256-GCM for a given tenant.
+ * @param {string} plaintext
+ * @param {string} tenantId
+ */
+export let encryptData = _encryptData;
+/**
+ * Decrypts encrypted payload using AES-256-GCM for a specific tenant.
+ * If key is corrupted or invalid, optionally clears both key and tenant data.
+ * @param {EncryptedPayload} payload
+ * @param {string} tenantId
+ * @param {string} cleanupOnFailure
+ */
+export let decryptData = _decryptData;
+/**
+ * Deletes the encryption key for a tenant (useful for cleanup).
+ * @param {string} tenantId
+ */
+export let deleteKey = _deleteKey;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+export const unitMocks = {
+    set encryptData(mockImplementation) {
+        encryptData = mockImplementation;
+    },
+    get encryptData() {
+        return _encryptData;
+    },
+    set decryptData(mockImplementation) {
+        decryptData = mockImplementation;
+    },
+    get decryptData() {
+        return _decryptData;
+    },
+    set deleteKey(mockImplementation) {
+        deleteKey = mockImplementation;
+    },
+    get deleteKey() {
+        return _deleteKey;
+    },
+};
+/**
+ * Generates or retrieves a 32-byte AES key for a specific tenant.
+ * @param {string} tenantId
+ */
+export async function getKey(tenantId) {
+    const account = `encryptionKey-${tenantId}`;
+    const key = await keytar.getPassword(SERVICE_NAME, account);
+    if (!key) {
+        const keyBuffer = crypto.randomBytes(32);
+        await keytar.setPassword(SERVICE_NAME, account, keyBuffer.toString('base64'));
+        return keyBuffer;
+    }
+    return Buffer.from(key, 'base64');
+}
+async function _encryptData(plaintext, tenantId) {
+    const key = await getKey(tenantId);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    const authTag = cipher.getAuthTag().toString('base64');
+    return {
+        iv: iv.toString('base64'),
+        authTag,
+        encryptedData: encrypted,
+    };
+}
+async function _decryptData(payload, tenantId, cleanupOnFailure = true) {
+    try {
+        const key = await getKey(tenantId);
+        const decipher = crypto.createDecipheriv(algorithm, key, Buffer.from(payload.iv, 'base64'));
+        decipher.setAuthTag(Buffer.from(payload.authTag, 'base64'));
+        let decrypted = decipher.update(payload.encryptedData, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (err) {
+        console.error(`\nFailed to decrypt data for tenant '${tenantId}':`, err);
+        if (cleanupOnFailure) {
+            console.warn(`\nCleaning up key and auth data for corrupted tenant '${tenantId}'...`);
+            await deleteTenantAuthInfo(tenantId);
+            await deleteKey(`encryptionKey-${tenantId}`);
+            clearActiveTenant();
+            console.warn(`\nCleanup completed for tenant '${tenantId}'.`);
+            return null;
+        }
+        throw err;
+    }
+}
+async function _deleteKey(tenantId) {
+    await keytar.deletePassword(SERVICE_NAME, `encryptionKey-${tenantId}`);
+}

package/dist/esm/tools/auth/flow.js

@@ -37,31 +37,25 @@ async function _clientCredentialsFlow({ clientId, clientSecret, organizationId,
         grant_type: GRANT_TYPE,
         baseUrl: baseUrl !== null && baseUrl !== void 0 ? baseUrl : '',
     });
-    try {
-        const response = await fetch(`${authority}/oauth/token`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-            body: params.toString(),
-        });
-        const data = await response.json();
-        if (!response.ok) {
-            throw new Error(data.error_description || data.error || 'Error during client credentials flow');
-        }
-        const decodedPayload = decodeJwtPayload(data.access_token) || {};
-        if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
-            throw new Error('\n Token is missing required claims tenant_id or org_id.');
-        }
-        const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
-        if (tenantId && tenantId !== tokenTenantId) {
-            throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
-        }
-        if (organizationId && organizationId !== tokenOrgId) {
-            throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
-        }
-        return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
+    const response = await fetch(`${authority}/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: params.toString(),
+    });
+    const data = await response.json();
+    if (!response.ok) {
+        throw new Error(data.error_description || data.error || 'Error during client credentials flow');
+    }
+    const decodedPayload = decodeJwtPayload(data.access_token) || {};
+    if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
+        throw new Error('\n Token is missing required claims tenant_id or org_id.');
+    }
+    const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
+    if (tenantId && tenantId !== tokenTenantId) {
+        throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
     }
-    catch (error) {
-        console.error('\n Error during client credentials flow:', error instanceof Error ? error.message : error);
-        throw error;
+    if (organizationId && organizationId !== tokenOrgId) {
+        throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
     }
+    return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
 }

package/dist/esm/tools/auth/index.js

@@ -1,4 +1,5 @@
 export { clientCredentialsFlow } from './flow';
-export { renewClientToken, renewAuthIfExpired, validateAuthInfo } from './renewal';
+export { renewClientToken, validateAndRenewAuthIfExpired, validateAuthInfo } from './renewal';
 export { getActiveTenant, setActiveTenant, clearActiveTenant } from './tenant-state';
 export { writeTenantAuthInfo, readTenantAuthInfo, deleteTenantAuthInfo, readTenantInfo, getAllTenantsInfo, writeTenantInfo, } from './tenant-store';
+export { encryptData, decryptData, deleteKey } from './encryption';

package/dist/esm/tools/auth/renewal.js

@@ -1,6 +1,7 @@
 import { getActiveTenant, clearActiveTenant } from './tenant-state';
 import { clientCredentialsFlow } from './flow';
 import { writeTenantAuthInfo, readTenantAuthInfo, deleteTenantAuthInfo, readTenantInfo, } from './tenant-store';
+import { deleteKey } from './encryption';
 /**
  * Validates whether a given auth config is still valid (i.e., not expired).
  * @param {TenantAuth} authInfo - The tenant auth configuration.
@@ -41,7 +42,7 @@ export async function renewClientToken(authInfo, tenantInfo) {
  * Ensures a valid token exists, renews it if expired.
  * Returns tenant context if successful, otherwise null.
  */
-export async function renewAuthIfExpired() {
+export async function validateAndRenewAuthIfExpired() {
     const tenantId = getActiveTenant();
     if (!tenantId)
         return null;
@@ -70,6 +71,7 @@ export async function renewAuthIfExpired() {
         console.error(`\n Failed to renew token for tenant '${tenantId}'`);
         console.warn(`\n Cleaning up stale authentication data for tenant '${tenantId}'...`);
         await deleteTenantAuthInfo(tenantId);
+        await deleteKey(tenantId);
         clearActiveTenant();
         console.info('\n You will need to login again to re-authenticate.');
         process.exit(1);

package/dist/esm/tools/auth/tenant-store.js

@@ -2,7 +2,8 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
-const CLAIMS = 'https://auth.sitecorecloud.io/claims';
+import { encryptData, decryptData } from './encryption';
+import { CLAIMS } from './../../constants';
 const rootDir = path.join(os.homedir(), '.sitecore', 'sitecore-tools');
 /**
  * Decodes a JWT without verifying its signature.
@@ -102,7 +103,8 @@ async function _writeTenantAuthInfo(tenantId, authInfo) {
     try {
         const dir = getTenantPath(tenantId);
         fs.mkdirSync(dir, { recursive: true });
-        fs.writeFileSync(path.join(dir, 'auth.json'), JSON.stringify(authInfo, null, 2));
+        const encrypted = await encryptData(JSON.stringify(authInfo), tenantId);
+        fs.writeFileSync(path.join(dir, 'auth.json'), JSON.stringify(encrypted));
     }
     catch (error) {
         console.error(`\n Failed to write auth.json for tenant '${tenantId}': ${error.message}`);
@@ -113,8 +115,13 @@ async function _readTenantAuthInfo(tenantId) {
     if (!fs.existsSync(filePath))
         return null;
     try {
-        const raw = fs.readFileSync(filePath, 'utf-8');
-        return JSON.parse(raw);
+        const encryptedPayloadRaw = fs.readFileSync(filePath, 'utf8');
+        const encryptedPayload = JSON.parse(encryptedPayloadRaw);
+        const decryptedData = await decryptData(encryptedPayload, tenantId, true);
+        if (decryptedData === null) {
+            return null;
+        }
+        return JSON.parse(decryptedData);
     }
     catch (error) {
         console.error(`\n Failed to read auth.json for tenant '${tenantId}': ${error.message}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sitecore-content-sdk/core",
-  "version": "0.2.0-beta.14",
+  "version": "0.2.0-beta.16",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",
   "sideEffects": false,
@@ -71,13 +71,14 @@
     "debug": "^4.4.0",
     "graphql": "^16.11.0",
     "graphql-request": "^6.1.0",
+    "keytar": "^7.9.0",
     "memory-cache": "^0.2.0",
     "sinon-chai": "^4.0.0",
     "url-parse": "^1.5.10"
   },
   "description": "",
   "types": "types/index.d.ts",
-  "gitHead": "7a86b92b3c3fd27c57067509613d3a99d3edc74f",
+  "gitHead": "c3fdb664842dd1bf000cb6bca7c55cf6d33ff446",
   "files": [
     "dist",
     "types",

package/types/constants.d.ts

@@ -5,6 +5,7 @@ export declare enum SitecoreTemplateId {
 export declare const siteNameError = "The siteName cannot be empty";
 export declare const SITECORE_EDGE_URL_DEFAULT = "https://edge-platform.sitecorecloud.io";
 export declare const HIDDEN_RENDERING_NAME = "Hidden Rendering";
+export declare const CLAIMS = "https://auth.sitecorecloud.io/claims";
 export declare const DEFAULT_SITECORE_AUTH_DOMAIN = "https://auth.sitecorecloud.io";
 export declare const DEFAULT_SITECORE_AUTH_AUDIENCE = "https://api.sitecorecloud.io";
 export declare const DEFAULT_SITECORE_AUTH_BASE_URL = "https://edge-platform.sitecorecloud.io/cs/api";

package/types/tools/auth/encryption.d.ts

@@ -0,0 +1,34 @@
+import { EncryptedPayload } from './models';
+/**
+ * Encrypts plaintext using AES-256-GCM for a given tenant.
+ * @param {string} plaintext
+ * @param {string} tenantId
+ */
+export declare let encryptData: typeof _encryptData;
+/**
+ * Decrypts encrypted payload using AES-256-GCM for a specific tenant.
+ * If key is corrupted or invalid, optionally clears both key and tenant data.
+ * @param {EncryptedPayload} payload
+ * @param {string} tenantId
+ * @param {string} cleanupOnFailure
+ */
+export declare let decryptData: typeof _decryptData;
+/**
+ * Deletes the encryption key for a tenant (useful for cleanup).
+ * @param {string} tenantId
+ */
+export declare let deleteKey: typeof _deleteKey;
+export declare const unitMocks: {
+    encryptData: typeof _encryptData;
+    decryptData: typeof _decryptData;
+    deleteKey: typeof _deleteKey;
+};
+/**
+ * Generates or retrieves a 32-byte AES key for a specific tenant.
+ * @param {string} tenantId
+ */
+export declare function getKey(tenantId: string): Promise<Buffer>;
+declare function _encryptData(plaintext: string, tenantId: string): Promise<EncryptedPayload>;
+declare function _decryptData(payload: EncryptedPayload, tenantId: string, cleanupOnFailure?: boolean): Promise<string | null>;
+declare function _deleteKey(tenantId: string): Promise<void>;
+export {};

package/types/tools/auth/index.d.ts

@@ -1,4 +1,5 @@
 export { clientCredentialsFlow } from './flow';
-export { renewClientToken, renewAuthIfExpired, validateAuthInfo } from './renewal';
+export { renewClientToken, validateAndRenewAuthIfExpired, validateAuthInfo } from './renewal';
 export { getActiveTenant, setActiveTenant, clearActiveTenant } from './tenant-state';
 export { writeTenantAuthInfo, readTenantAuthInfo, deleteTenantAuthInfo, readTenantInfo, getAllTenantsInfo, writeTenantInfo, } from './tenant-store';
+export { encryptData, decryptData, deleteKey } from './encryption';

package/types/tools/auth/models.d.ts

@@ -92,3 +92,14 @@ export interface TenantInfo {
      */
     baseUrl: string;
 }
+export type EncryptedPayload = {
+    iv: string;
+    /**
+     * Authentication tag for integrity verification
+     */
+    authTag: string;
+    /**
+     * Base64-encoded encrypted data
+     */
+    encryptedData: string;
+};

package/types/tools/auth/renewal.d.ts

@@ -17,6 +17,6 @@ export declare function renewClientToken(authInfo: TenantAuth, tenantInfo: Tenan
  * Ensures a valid token exists, renews it if expired.
  * Returns tenant context if successful, otherwise null.
  */
-export declare function renewAuthIfExpired(): Promise<{
+export declare function validateAndRenewAuthIfExpired(): Promise<{
     tenantId: string;
 } | null>;