@sitecore-content-sdk/core 0.2.0-beta.2 → 0.2.0-beta.21

package/dist/cjs/layout/content-styles.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.traverseComponent = exports.traverseField = exports.traversePlaceholder = exports.getContentStylesheetUrl = exports.getContentStylesheetLink = void 0;
 const constants_1 = require("../constants");
+const normalize_url_1 = require("../utils/normalize-url");
 /**
  * Regular expression to check if the content styles are used in the field value
  */
@@ -26,7 +27,7 @@ const getContentStylesheetLink = (layoutData, sitecoreEdgeContextId, sitecoreEdg
     };
 };
 exports.getContentStylesheetLink = getContentStylesheetLink;
-const getContentStylesheetUrl = (sitecoreEdgeContextId, sitecoreEdgeUrl = constants_1.SITECORE_EDGE_URL_DEFAULT) => `${sitecoreEdgeUrl}/v1/files/pages/styles/content-styles.css?sitecoreContextId=${sitecoreEdgeContextId}`;
+const getContentStylesheetUrl = (sitecoreEdgeContextId, sitecoreEdgeUrl = constants_1.SITECORE_EDGE_URL_DEFAULT) => `${(0, normalize_url_1.normalizeUrl)(sitecoreEdgeUrl)}/v1/files/pages/styles/content-styles.css?sitecoreContextId=${sitecoreEdgeContextId}`;
 exports.getContentStylesheetUrl = getContentStylesheetUrl;
 const traversePlaceholder = (components, config) => {
     if (config.loadStyles)

package/dist/cjs/layout/themes.js

@@ -4,6 +4,7 @@ exports.getStylesheetUrl = void 0;
 exports.getDesignLibraryStylesheetLinks = getDesignLibraryStylesheetLinks;
 const _1 = require(".");
 const constants_1 = require("../constants");
+const normalize_url_1 = require("../utils/normalize-url");
 /**
  * Pattern for library ids
  * @example -library--foo
@@ -27,7 +28,7 @@ function getDesignLibraryStylesheetLinks(layoutData, sitecoreEdgeContextId, site
     }));
 }
 const getStylesheetUrl = (id, sitecoreEdgeContextId, sitecoreEdgeUrl = constants_1.SITECORE_EDGE_URL_DEFAULT) => {
-    return `${sitecoreEdgeUrl}/v1/files/components/styles/${id}.css?sitecoreContextId=${sitecoreEdgeContextId}`;
+    return `${(0, normalize_url_1.normalizeUrl)(sitecoreEdgeUrl)}/v1/files/components/styles/${id}.css?sitecoreContextId=${sitecoreEdgeContextId}`;
 };
 exports.getStylesheetUrl = getStylesheetUrl;
 /**

package/dist/cjs/site/graphql-robots-service.js

@@ -33,17 +33,18 @@ class GraphQLRobotsService {
     }
     /**
      * Fetch a data of robots.txt from API
+     * @param {FetchOptions} fetchOptions - The fetch options to be used for the request.
      * @returns text of robots.txt
      * @throws {Error} if the siteName is empty.
      */
-    async fetchRobots() {
+    async fetchRobots(fetchOptions) {
         const siteName = this.options.siteName;
         if (!siteName) {
             throw new Error(constants_1.siteNameError);
         }
         const robotsResult = this.graphQLClient.request(this.query, {
             siteName,
-        });
+        }, fetchOptions);
         try {
             return robotsResult.then((result) => {
                 var _a, _b;

package/dist/cjs/tools/auth/encryption.js

@@ -0,0 +1,141 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.deleteKey = exports.decryptData = exports.encryptData = void 0;
+exports.getKey = getKey;
+/* eslint-disable jsdoc/require-jsdoc */
+const keytar_1 = __importDefault(require("keytar"));
+const crypto = __importStar(require("crypto"));
+const tenant_store_1 = require("./tenant-store");
+const tenant_state_1 = require("./tenant-state");
+const algorithm = 'aes-256-gcm';
+const SERVICE_NAME = 'sitecore-tools-cli';
+/**
+ * Encrypts plaintext using AES-256-GCM for a given tenant.
+ * @param {string} plaintext
+ * @param {string} tenantId
+ */
+exports.encryptData = _encryptData;
+/**
+ * Decrypts encrypted payload using AES-256-GCM for a specific tenant.
+ * If key is corrupted or invalid, optionally clears both key and tenant data.
+ * @param {EncryptedPayload} payload
+ * @param {string} tenantId
+ * @param {string} cleanupOnFailure
+ */
+exports.decryptData = _decryptData;
+/**
+ * Deletes the encryption key for a tenant (useful for cleanup).
+ * @param {string} tenantId
+ */
+exports.deleteKey = _deleteKey;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set encryptData(mockImplementation) {
+        exports.encryptData = mockImplementation;
+    },
+    get encryptData() {
+        return _encryptData;
+    },
+    set decryptData(mockImplementation) {
+        exports.decryptData = mockImplementation;
+    },
+    get decryptData() {
+        return _decryptData;
+    },
+    set deleteKey(mockImplementation) {
+        exports.deleteKey = mockImplementation;
+    },
+    get deleteKey() {
+        return _deleteKey;
+    },
+};
+/**
+ * Generates or retrieves a 32-byte AES key for a specific tenant.
+ * @param {string} tenantId
+ */
+async function getKey(tenantId) {
+    const account = `encryptionKey-${tenantId}`;
+    const key = await keytar_1.default.getPassword(SERVICE_NAME, account);
+    if (!key) {
+        const keyBuffer = crypto.randomBytes(32);
+        await keytar_1.default.setPassword(SERVICE_NAME, account, keyBuffer.toString('base64'));
+        return keyBuffer;
+    }
+    return Buffer.from(key, 'base64');
+}
+async function _encryptData(plaintext, tenantId) {
+    const key = await getKey(tenantId);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    const authTag = cipher.getAuthTag().toString('base64');
+    return {
+        iv: iv.toString('base64'),
+        authTag,
+        encryptedData: encrypted,
+    };
+}
+async function _decryptData(payload, tenantId, cleanupOnFailure = true) {
+    try {
+        const key = await getKey(tenantId);
+        const decipher = crypto.createDecipheriv(algorithm, key, Buffer.from(payload.iv, 'base64'));
+        decipher.setAuthTag(Buffer.from(payload.authTag, 'base64'));
+        let decrypted = decipher.update(payload.encryptedData, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (err) {
+        console.error(`\nFailed to decrypt data for tenant '${tenantId}':`, err);
+        if (cleanupOnFailure) {
+            console.warn(`\nCleaning up key and auth data for corrupted tenant '${tenantId}'...`);
+            await (0, tenant_store_1.deleteTenantAuthInfo)(tenantId);
+            await (0, exports.deleteKey)(`encryptionKey-${tenantId}`);
+            (0, tenant_state_1.clearActiveTenant)();
+            console.warn(`\nCleanup completed for tenant '${tenantId}'.`);
+            return null;
+        }
+        throw err;
+    }
+}
+async function _deleteKey(tenantId) {
+    await keytar_1.default.deletePassword(SERVICE_NAME, `encryptionKey-${tenantId}`);
+}

package/dist/cjs/tools/auth/fetcher.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sendPostRequest = exports.unitMocks = void 0;
+/* eslint-disable jsdoc/require-jsdoc */
+exports.unitMocks = {
+    set sendPostRequest(mockImplementation) {
+        exports.sendPostRequest = mockImplementation;
+    },
+    get sendPostRequest() {
+        return _sendPostRequest;
+    },
+};
+/**
+ * Performs a POST request with application/x-www-form-urlencoded headers.
+ * @param {string} url - The endpoint to post to.
+ * @param { URLSearchParams} params - A URLSearchParams instance representing the body.
+ * @returns Parsed JSON response.
+ * @throws Error if response is not OK.
+ */
+exports.sendPostRequest = _sendPostRequest;
+async function _sendPostRequest(url, params, throwOnError = true) {
+    const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    const data = await response.json();
+    if (throwOnError && !response.ok) {
+        throw new Error(data.error_description || data.error || 'Unknown error occurred');
+    }
+    return data;
+}

package/dist/cjs/tools/auth/flow.js

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.pollForDeviceToken = exports.startDeviceAuthFlow = exports.clientCredentialsFlow = void 0;
+exports._startDeviceAuthFlow = _startDeviceAuthFlow;
+exports._pollForDeviceToken = _pollForDeviceToken;
+const tenant_store_1 = require("./tenant-store");
+const fetcher_1 = require("./fetcher");
+const constants_1 = require("../../constants");
+/**
+ * Performs the OAuth 2.0 client credentials flow to obtain a JWT access token
+ * from the Sitecore Identity Provider using the provided client credentials.
+ * @param {TenantArgs} params - Parameters including clientId, clientSecret, organizationId, tenantId, audience, authority, and baseUrl.
+ * @returns A Promise that resolves to the access token response (including access token, token type, expiry, etc.)
+ * @throws Will log and exit the process if the request fails or returns a non-OK status
+ */
+exports.clientCredentialsFlow = _clientCredentialsFlow;
+/**
+ * Initiates the OAuth 2.0 Device Authorization flow by requesting a device and user code.
+ * This flow is typically used by devices or CLI apps that cannot input credentials directly.
+ * @param {DeviceAuthRequest} params - Parameters including clientId, audience, authority, and baseUrl.
+ * @returns {Promise<DeviceAuthResponse>} A promise resolving to device authorization metadata needed for polling.
+ * @throws {Error} If the device authorization request fails or returns an error response.
+ */
+exports.startDeviceAuthFlow = _startDeviceAuthFlow;
+/**
+ * Polls the OAuth 2.0 device token endpoint to retrieve the access token once the user has authorized the device.
+ * This is typically used to continue the device authorization process after a user enters a code on a browser.
+ * @param {DeviceTokenPollRequest} params - Parameters for polling including clientId, deviceCode, interval, and authority.
+ * @returns {Promise<any>} A promise resolving to the device token response including access token and refresh token.
+ * @throws {Error} If polling fails or exceeds the timeout period.
+ */
+exports.pollForDeviceToken = _pollForDeviceToken;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set clientCredentialsFlow(mockImplementation) {
+        exports.clientCredentialsFlow = mockImplementation;
+    },
+    get clientCredentialsFlow() {
+        return _clientCredentialsFlow;
+    },
+    set startDeviceAuthFlow(mockImplementation) {
+        exports.startDeviceAuthFlow = mockImplementation;
+    },
+    get startDeviceAuthFlow() {
+        return _startDeviceAuthFlow;
+    },
+    set pollForDeviceToken(mockImplementation) {
+        exports.pollForDeviceToken = mockImplementation;
+    },
+    get pollForDeviceToken() {
+        return _pollForDeviceToken;
+    },
+};
+async function _clientCredentialsFlow({ clientId, clientSecret, organizationId, tenantId, audience = constants_1.DEFAULT_SITECORE_AUTH_AUDIENCE, authority = constants_1.DEFAULT_SITECORE_AUTH_DOMAIN, baseUrl = constants_1.DEFAULT_SITECORE_AUTH_BASE_URL, }) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret !== null && clientSecret !== void 0 ? clientSecret : '',
+        organization_id: organizationId !== null && organizationId !== void 0 ? organizationId : '',
+        tenant_id: tenantId !== null && tenantId !== void 0 ? tenantId : '',
+        audience,
+        grant_type: constants_1.CLIENT_GRANT_TYPE,
+        baseUrl: baseUrl !== null && baseUrl !== void 0 ? baseUrl : '',
+    });
+    const url = `${authority}/oauth/token`;
+    const data = await (0, fetcher_1.sendPostRequest)(url, params);
+    const decodedPayload = (0, tenant_store_1.decodeJwtPayload)(data.access_token) || {};
+    if (!(decodedPayload === null || decodedPayload === void 0 ? void 0 : decodedPayload.tokenTenantId) || !decodedPayload.tokenOrgId) {
+        throw new Error('\n Token is missing required claims tenant_id or org_id.');
+    }
+    const { tokenTenantId, tokenOrgId, tokenTenantName } = decodedPayload;
+    if (tenantId && tenantId !== tokenTenantId) {
+        throw new Error('\n Mismatch: Provided tenant ID does not match claims tenant ID.');
+    }
+    if (organizationId && organizationId !== tokenOrgId) {
+        throw new Error('\n Mismatch: Provided organization ID does not match claims organization ID.');
+    }
+    return { data, tokenOrgId, tokenTenantId, tokenTenantName, accessToken: data.access_token };
+}
+async function _startDeviceAuthFlow({ clientId, audience, authority, baseUrl, }) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        scope: constants_1.SCOPE,
+        audience,
+        baseUrl,
+    });
+    const url = `${authority}/oauth/device/code`;
+    const responseBody = (await (0, fetcher_1.sendPostRequest)(url, params));
+    return responseBody;
+}
+async function _pollForDeviceToken({ clientId, device_code, interval = constants_1.DEFAULT_INTERVAL, authority = constants_1.DEFAULT_SITECORE_AUTH_DOMAIN, }) {
+    const startTime = Date.now();
+    while (Date.now() - startTime < constants_1.TIMEOUT * 1000) {
+        const params = new URLSearchParams({
+            grant_type: constants_1.DEVICE_GRANT_TYPE,
+            device_code,
+            client_id: clientId,
+        });
+        const url = `${authority}/oauth/token`;
+        const responseBody = await (0, fetcher_1.sendPostRequest)(url, params, false);
+        if ('error' in responseBody) {
+            switch (responseBody.error) {
+                case 'authorization_pending':
+                    console.log('\n ⌛ Waiting for user authorization...');
+                    break;
+                case 'slow_down':
+                    console.log('🐢 Slowing down polling interval...');
+                    interval += 5;
+                    break;
+                default:
+                    throw new Error(responseBody.error_description ||
+                        responseBody.error ||
+                        'Unknown error during device token polling.');
+            }
+            await new Promise((resolve) => setTimeout(resolve, interval * 1000));
+        }
+        else {
+            return responseBody;
+        }
+    }
+    throw new Error('⏳ Timeout: User did not complete authorization in time.');
+}

package/dist/cjs/tools/auth/index.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteKey = exports.decryptData = exports.encryptData = exports.writeTenantInfo = exports.getAllTenantsInfo = exports.readTenantInfo = exports.deleteTenantAuthInfo = exports.readTenantAuthInfo = exports.writeTenantAuthInfo = exports.clearActiveTenant = exports.setActiveTenant = exports.getActiveTenant = exports.getRefreshAccessToken = exports.validateAuthInfo = exports.validateAndRenewAuthIfExpired = exports.renewClientToken = exports.pollForDeviceToken = exports.startDeviceAuthFlow = exports.clientCredentialsFlow = void 0;
+var flow_1 = require("./flow");
+Object.defineProperty(exports, "clientCredentialsFlow", { enumerable: true, get: function () { return flow_1.clientCredentialsFlow; } });
+Object.defineProperty(exports, "startDeviceAuthFlow", { enumerable: true, get: function () { return flow_1.startDeviceAuthFlow; } });
+Object.defineProperty(exports, "pollForDeviceToken", { enumerable: true, get: function () { return flow_1.pollForDeviceToken; } });
+var renewal_1 = require("./renewal");
+Object.defineProperty(exports, "renewClientToken", { enumerable: true, get: function () { return renewal_1.renewClientToken; } });
+Object.defineProperty(exports, "validateAndRenewAuthIfExpired", { enumerable: true, get: function () { return renewal_1.validateAndRenewAuthIfExpired; } });
+Object.defineProperty(exports, "validateAuthInfo", { enumerable: true, get: function () { return renewal_1.validateAuthInfo; } });
+Object.defineProperty(exports, "getRefreshAccessToken", { enumerable: true, get: function () { return renewal_1.getRefreshAccessToken; } });
+var tenant_state_1 = require("./tenant-state");
+Object.defineProperty(exports, "getActiveTenant", { enumerable: true, get: function () { return tenant_state_1.getActiveTenant; } });
+Object.defineProperty(exports, "setActiveTenant", { enumerable: true, get: function () { return tenant_state_1.setActiveTenant; } });
+Object.defineProperty(exports, "clearActiveTenant", { enumerable: true, get: function () { return tenant_state_1.clearActiveTenant; } });
+var tenant_store_1 = require("./tenant-store");
+Object.defineProperty(exports, "writeTenantAuthInfo", { enumerable: true, get: function () { return tenant_store_1.writeTenantAuthInfo; } });
+Object.defineProperty(exports, "readTenantAuthInfo", { enumerable: true, get: function () { return tenant_store_1.readTenantAuthInfo; } });
+Object.defineProperty(exports, "deleteTenantAuthInfo", { enumerable: true, get: function () { return tenant_store_1.deleteTenantAuthInfo; } });
+Object.defineProperty(exports, "readTenantInfo", { enumerable: true, get: function () { return tenant_store_1.readTenantInfo; } });
+Object.defineProperty(exports, "getAllTenantsInfo", { enumerable: true, get: function () { return tenant_store_1.getAllTenantsInfo; } });
+Object.defineProperty(exports, "writeTenantInfo", { enumerable: true, get: function () { return tenant_store_1.writeTenantInfo; } });
+var encryption_1 = require("./encryption");
+Object.defineProperty(exports, "encryptData", { enumerable: true, get: function () { return encryption_1.encryptData; } });
+Object.defineProperty(exports, "decryptData", { enumerable: true, get: function () { return encryption_1.decryptData; } });
+Object.defineProperty(exports, "deleteKey", { enumerable: true, get: function () { return encryption_1.deleteKey; } });

package/dist/cjs/tools/auth/models.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/tools/auth/renewal.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.getRefreshAccessToken = void 0;
+exports.validateAuthInfo = validateAuthInfo;
+exports.renewClientToken = renewClientToken;
+exports.validateAndRenewAuthIfExpired = validateAndRenewAuthIfExpired;
+const tenant_state_1 = require("./tenant-state");
+const flow_1 = require("./flow");
+const tenant_store_1 = require("./tenant-store");
+const encryption_1 = require("./encryption");
+const constants_1 = require("./../../constants");
+const tenant_store_2 = require("./tenant-store");
+const fetcher_1 = require("./fetcher");
+/**
+ * Requests a new access token using the OAuth 2.0 refresh token grant type.
+ * This is used to "upgrade" an initial device flow token by including tenant-specific context.
+ * @param {RefreshTokenRequest} options - Configuration for the refresh token request.
+ * @returns {Promise<any>} A promise that resolves to the refreshed token data including tenant context.
+ * @throws {Error} If the token request fails or returns an error response.
+ */
+exports.getRefreshAccessToken = _getRefreshAccessToken;
+exports.unitMocks = {
+    get getRefreshAccessToken() {
+        return _getRefreshAccessToken;
+    },
+    set getRefreshAccessToken(mockFn) {
+        exports.getRefreshAccessToken = mockFn;
+    },
+};
+/**
+ * Validates whether a given auth config is still valid (i.e., not expired).
+ * @param {TenantAuth} authInfo - The tenant auth configuration.
+ * @returns True if the token is still valid, false if expired.
+ */
+function validateAuthInfo(authInfo) {
+    const now = new Date();
+    const expiry = new Date(authInfo.expires_at);
+    return now < expiry;
+}
+/**
+ * Renews the token for a given tenant using stored credentials.
+ * @param {TenantAuth} authInfo - Current authentication info for the tenant.
+ * @param {TenantInfo} tenantInfo - Public metadata about the tenant (e.g., clientId).
+ * @returns {Promise<void>} resolving when the token is successfully renewed.
+ * @throws If credentials are missing or renewal fails.
+ */
+async function renewClientToken(authInfo, tenantInfo) {
+    const result = await (0, flow_1.clientCredentialsFlow)({
+        clientId: tenantInfo.clientId,
+        clientSecret: authInfo.clientSecret,
+        organizationId: tenantInfo.organizationId,
+        tenantId: tenantInfo.tenantId,
+        audience: tenantInfo.audience,
+        authority: tenantInfo.authority,
+        baseUrl: tenantInfo.baseUrl,
+    });
+    const tenantId = tenantInfo.tenantId;
+    await (0, tenant_store_1.writeTenantAuthInfo)(tenantId, {
+        clientSecret: authInfo.clientSecret,
+        access_token: result.data.access_token,
+        expires_in: result.data.expires_in,
+        expires_at: new Date(Date.now() + result.data.expires_in * 1000).toISOString(),
+    });
+    console.log(`\n Token for tenant ${tenantId} renewed.`);
+}
+/**
+ * Ensures a valid token exists, renews it if expired.
+ * @returns {Promise<{ tenantId: string } | null>} returns tenant context if successful, otherwise null.
+ * @throws If renewal fails or credentials are missing.
+ */
+async function validateAndRenewAuthIfExpired() {
+    const tenantId = (0, tenant_state_1.getActiveTenant)();
+    if (!tenantId)
+        return null;
+    const authInfo = await (0, tenant_store_1.readTenantAuthInfo)(tenantId);
+    if (!authInfo)
+        return null;
+    const isValid = validateAuthInfo(authInfo);
+    if (isValid) {
+        return { tenantId };
+    }
+    const tenantInfo = await (0, tenant_store_1.readTenantInfo)(tenantId);
+    if (!tenantInfo)
+        return null;
+    console.log(`\n Token for tenant ${tenantId} is expired. Renewing...`);
+    try {
+        if (authInfo.clientSecret) {
+            await renewClientToken(authInfo, tenantInfo);
+            return { tenantId };
+        }
+        else if (authInfo.refresh_token) {
+            const refreshTokenResponse = await (0, exports.getRefreshAccessToken)({
+                clientId: tenantInfo.clientId,
+                refreshToken: authInfo.refresh_token,
+                tenantId: tenantId,
+                organizationId: tenantInfo.organizationId,
+                authority: tenantInfo.authority,
+            });
+            await (0, tenant_store_1.writeTenantAuthInfo)(tenantId, Object.assign({ expires_at: new Date(Date.now() + refreshTokenResponse.expires_in * 1000).toISOString() }, refreshTokenResponse));
+            console.log(`\n Token for tenant ${tenantId} renewed.`);
+            return { tenantId };
+        }
+        else {
+            throw new Error('\n No valid credentials found for token renewal.');
+        }
+    }
+    catch (err) {
+        const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
+        console.error(`\n Failed to renew token for tenant '${tenantId}: ${errorMessage}'`);
+        console.log(`\n Cleaning up stale authentication data for tenant '${tenantId}'...`);
+        await (0, tenant_store_1.deleteTenantAuthInfo)(tenantId);
+        await (0, encryption_1.deleteKey)(tenantId);
+        (0, tenant_state_1.clearActiveTenant)();
+        return null;
+    }
+}
+// eslint-disable-next-line jsdoc/require-jsdoc
+async function _getRefreshAccessToken({ clientId, refreshToken, tenantId, organizationId, authority = constants_1.DEFAULT_SITECORE_AUTH_DOMAIN, }) {
+    const params = new URLSearchParams({
+        client_id: clientId,
+        grant_type: constants_1.REFRESH_GRANT_TYPE,
+        refresh_token: refreshToken,
+        tenant_id: tenantId,
+        organization_id: organizationId,
+    });
+    const url = `${authority}/oauth/token`;
+    const data = await (0, fetcher_1.sendPostRequest)(url, params);
+    const { tokenTenantName } = (0, tenant_store_2.decodeJwtPayload)(data.access_token) || {};
+    return Object.assign(Object.assign({}, data), { tenantName: tokenTenantName });
+}

package/dist/cjs/tools/auth/tenant-state.js

@@ -0,0 +1,110 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unitMocks = exports.clearActiveTenant = exports.getActiveTenant = void 0;
+exports.setActiveTenant = setActiveTenant;
+/* eslint-disable jsdoc/require-jsdoc */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const configDir = path.join(os.homedir(), '.sitecore', 'sitecore-tools');
+const settingsFile = path.join(configDir, 'settings.json');
+/**
+ * Gets the ID of the currently active tenant from settings.json.
+ * @returns The active tenant ID if present, otherwise null.
+ */
+exports.getActiveTenant = _getActiveTenant;
+/**
+ * Clears the currently active tenant from settings.json by deleting the file.
+ */
+exports.clearActiveTenant = _clearActiveTenant;
+// mock setup for unit tests to make sinon happy and mock-able with esbuild/tsx
+// https://sinonjs.org/how-to/typescript-swc/
+// This, plus the `_` names make the exports writable for sinon
+exports.unitMocks = {
+    set clearActiveTenant(mockImplementation) {
+        exports.clearActiveTenant = mockImplementation;
+    },
+    get clearActiveTenant() {
+        return _clearActiveTenant;
+    },
+    set getActiveTenant(mockImplementation) {
+        exports.getActiveTenant = mockImplementation;
+    },
+    get getActiveTenant() {
+        return _getActiveTenant;
+    },
+};
+function _getActiveTenant() {
+    var _a;
+    if (!fs.existsSync(settingsFile)) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(settingsFile, 'utf-8');
+        const data = JSON.parse(content);
+        return (_a = data.activeTenant) !== null && _a !== void 0 ? _a : null;
+    }
+    catch (error) {
+        console.error(`\n Failed to read active tenant: ${error.message}`);
+        return null;
+    }
+}
+/**
+ * Sets the currently active tenant by writing to settings.json.
+ * @param {string} tenantId - The tenant ID to set as active.
+ */
+function setActiveTenant(tenantId) {
+    try {
+        if (!fs.existsSync(configDir)) {
+            fs.mkdirSync(configDir, { recursive: true });
+        }
+        const data = { activeTenant: tenantId };
+        fs.writeFileSync(settingsFile, JSON.stringify(data, null, 2));
+    }
+    catch (error) {
+        console.error(`\n Failed to set active tenant '${tenantId}': ${error.message}`);
+    }
+}
+function _clearActiveTenant() {
+    try {
+        if (fs.existsSync(settingsFile)) {
+            fs.unlinkSync(settingsFile);
+        }
+    }
+    catch (error) {
+        console.error(`\n Failed to clear active tenant: ${error.message}`);
+    }
+}