@trayio/cdk-cli 5.5.0 → 5.6.0

package/OAUTH2_TOKEN.md

@@ -0,0 +1,290 @@
+# OAuth2 Token Command
+
+Generate or refresh OAuth2 tokens for connector testing and development.
+
+## Overview
+
+The `oauth2-token` command automates OAuth2 token acquisition for testing connectors locally. It supports multiple OAuth2 grant types and can read configuration from your test context file, environment variables, or command-line flags.
+
+## Quick Start
+
+```bash
+# Auto-detect grant type from test.ctx.json
+tray-cdk connector oauth2-token
+
+# Use specific grant type
+tray-cdk connector oauth2-token --grantType client_credentials
+
+# Refresh an existing token
+tray-cdk connector oauth2-token --refresh
+```
+
+## Supported Grant Types
+
+- **Client Credentials**: Machine-to-machine authentication
+- **Authorization Code** (with PKCE): User authentication with browser redirect
+- **Device Code**: Authentication for devices with limited input capabilities
+- **Refresh Token**: Renew access tokens using a refresh token
+
+## Configuration
+
+The command uses a three-tier configuration system with the following precedence:
+
+1. **Command-line flags** (highest priority)
+2. **Environment variables** (from `.env` file)
+3. **Context file** (`src/test.ctx.json` by default)
+
+### Command-Line Flags
+
+```bash
+--ctxPath, -c        Path to context JSON file (default: src/test.ctx.json)
+--envPath, -e        Path to .env file (default: .env)
+--grantType, -g      OAuth2 grant type (auto|client_credentials|authorization_code|device_code)
+--refresh, -r        Use refresh token to get new access token
+--tokenUrl           Override token URL
+--clientId           Override client ID
+--clientSecret       Override client secret
+--authorizeUrl       Override authorization URL
+--deviceCodeUrl      Override device authorization URL
+--redirectUri        Override redirect URI for auth code flow
+--scope              Override scope (space-separated)
+--audience           Override audience
+--openBrowser        Open browser for interactive flows (default: true)
+--dryRun, -n         Print token JSON without writing to file
+```
+
+### Environment Variables
+
+Create a `.env` file in your project root:
+
+```bash
+# OAuth2 Configuration
+CLIENT_ID=your_client_id_here
+CLIENT_SECRET=your_client_secret_here
+TOKEN_URL=https://oauth.provider.com/token
+AUTHORIZE_URL=https://oauth.provider.com/authorize
+DEVICE_CODE_URL=https://oauth.provider.com/device_authorization
+REDIRECT_URI=http://127.0.0.1:3400/callback
+SCOPE="read write admin"
+AUDIENCE=https://api.provider.com
+REFRESH_TOKEN=your_refresh_token_here
+```
+
+### Context File
+
+The command writes tokens to `src/test.ctx.json` by default. This file is where your OAuth2 tokens are automatically stored after successful authentication.
+
+**Recommended approach:** Keep secrets in `.env` and let the command write tokens to `test.ctx.json`:
+
+**Initial state** (should use the correct structure for your connector auth):
+
+```json
+{
+	"auth": {
+		"user": {},
+		"app": {}
+	}
+}
+```
+
+**After running the command**, tokens are automatically written:
+
+```json
+{
+	
+	"auth": {
+		"user": {
+			  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
+			  "refresh_token": "v1.MRkaGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
+			  "expires_in": 3600,
+			  "expires_at": 1699564800
+			  "token_type": "Bearer"
+		},
+		"app": {}
+	}
+}
+```
+
+**Note:** While you *can* put `client_id`, `client_secret`, and other OAuth config in `test.ctx.json`, it's better practice to keep secrets in your `.env` file (which should be gitignored) and let the command read from there.
+
+## Usage Examples
+
+### Client Credentials Flow
+
+Best for: Machine-to-machine authentication, server-to-server APIs
+
+```bash
+# Using context file
+tray-cdk connector oauth2-token --grantType client_credentials
+
+# Using environment variables
+tray-cdk connector oauth2-token --grantType client_credentials --envPath .env.production
+
+# Using command-line flags
+tray-cdk connector oauth2-token \
+  --grantType client_credentials \
+  --tokenUrl https://oauth.example.com/token \
+  --clientId my-client-id \
+  --clientSecret my-client-secret \
+  --scope "read write"
+```
+
+**Required configuration:**
+- `token_url` / `tokenUrl`
+- `client_id` / `clientId`
+- `client_secret` / `clientSecret`
+
+**Optional configuration:**
+- `scope` / `scopes`
+- `audience`
+
+### Authorization Code Flow (with PKCE)
+
+Best for: User authentication, web applications, mobile apps
+
+```bash
+# Auto-opens browser for authentication
+tray-cdk connector oauth2-token --grantType authorization_code
+
+# Custom redirect URI
+tray-cdk connector oauth2-token \
+  --grantType authorization_code \
+  --redirectUri http://localhost:8080/callback
+
+# Non-localhost redirect (manual URL paste)
+tray-cdk connector oauth2-token \
+  --grantType authorization_code \
+  --redirectUri https://oauth.pstmn.io/v1/callback \
+  --openBrowser false
+```
+
+#### HTTPS Redirect URI Requirements
+
+Some OAuth providers (like Workday, Salesforce) require HTTPS redirect URIs and won't accept `http://localhost`. Since the CLI's local callback server only supports HTTP, you need to use a **static HTTPS redirect URI** with manual URL pasting.
+
+**Recommended: Use Postman's Public OAuth Callback**
+
+Postman provides a free, public OAuth callback service at a static URL that you can pre-register in your OAuth provider:
+
+```bash
+# In your .env file
+REDIRECT_URI=https://oauth.pstmn.io/v1/callback
+
+# Run the command
+tray-cdk connector oauth2-token --grantType authorization_code
+```
+
+**How it works:**
+1. **One-time setup:** Register `https://oauth.pstmn.io/v1/callback` as an allowed redirect URI in your OAuth provider (e.g., Workday)
+2. Run the command - it will open your browser for authorization
+3. After authorizing, Workday redirects to Postman's callback page
+4. Copy the **full URL** from your browser's address bar (it contains the authorization code)
+5. Paste it into the terminal when prompted
+6. The command extracts the authorization code and exchanges it for tokens
+
+**Required configuration:**
+- `token_url` / `tokenUrl`
+- `authorize_url` / `authorizeUrl` / `authorization_endpoint`
+- `client_id` / `clientId`
+
+**Optional configuration:**
+- `client_secret` / `clientSecret` (if required by provider)
+- `redirect_uri` / `redirectUri` (default: `http://127.0.0.1:3400/callback`)
+- `scope` / `scopes`
+- `audience`
+
+### Device Code Flow
+
+Best for: Devices with limited input (smart TVs, IoT devices, CLI tools)
+
+```bash
+# Opens browser with user code
+tray-cdk connector oauth2-token --grantType device_code
+
+# Without opening browser
+tray-cdk connector oauth2-token \
+  --grantType device_code \
+  --openBrowser false
+```
+
+**Required configuration:**
+- `token_url` / `tokenUrl`
+- `device_code_url` / `device_authorization_endpoint` / `deviceAuthorizationUrl`
+- `client_id` / `clientId`
+
+**Optional configuration:**
+- `client_secret` / `clientSecret`
+- `scope` / `scopes`
+- `audience`
+
+**Flow behavior:**
+1. Requests device code from authorization server
+2. Displays user code and verification URL
+3. Optionally opens browser to verification URL
+4. Polls token endpoint until user completes authorization
+5. Writes tokens to context file
+
+### Refresh Token Flow
+
+Best for: Renewing expired access tokens
+
+```bash
+# Refresh using token from context file
+tray-cdk connector oauth2-token --refresh
+
+# Refresh using token from environment
+REFRESH_TOKEN=your_token tray-cdk connector oauth2-token --refresh
+
+# Dry run to see new token without writing
+tray-cdk connector oauth2-token --refresh --dryRun
+```
+
+**Required configuration:**
+- `token_url` / `tokenUrl`
+- `client_id` / `clientId`
+- `refresh_token` / `refreshToken` (from context, env, or previous token response)
+
+**Optional configuration:**
+- `client_secret` / `clientSecret`
+- `scope` / `scopes`
+- `audience`
+
+### Auto Grant Type Detection
+
+When using `--grantType auto` (default), the command automatically selects the appropriate flow:
+
+```bash
+# Auto-detects based on available configuration
+tray-cdk connector oauth2-token
+```
+
+**Detection priority:**
+1. If `authorize_url` is present → **Authorization Code Flow**
+2. If `device_code_url` is present → **Device Code Flow**
+3. If `grant_type` is specified in context → Use that type
+4. Otherwise → **Client Credentials Flow**
+
+## Common Scenarios
+
+### Testing with Multiple Environments
+
+```bash
+# Development
+tray-cdk connector oauth2-token --envPath .env.dev
+
+# Staging
+tray-cdk connector oauth2-token --envPath .env.staging
+
+# Production
+tray-cdk connector oauth2-token --envPath .env.production
+```
+
+### Inspecting Token Without Writing
+
+```bash
+# Dry run to see token response
+tray-cdk connector oauth2-token --dryRun
+
+# Pipe to jq for formatted output
+tray-cdk connector oauth2-token --dryRun | jq
+```

package/README.md

@@ -19,7 +19,7 @@ $ npm install -g @trayio/cdk-cli
 $ tray-cdk COMMAND
 running command...
 $ tray-cdk (--version|-v)
-@trayio/cdk-cli/5.5.0 linux-x64 node-v18.20.8
+@trayio/cdk-cli/5.6.0 linux-x64 node-v18.20.8
 $ tray-cdk --help [COMMAND]
 USAGE
   $ tray-cdk COMMAND
@@ -36,6 +36,7 @@ USAGE
 * [`tray-cdk connector build`](#tray-cdk-connector-build)
 * [`tray-cdk connector import [OPENAPISPEC] [CONNECTORNAME]`](#tray-cdk-connector-import-openapispec-connectorname)
 * [`tray-cdk connector init [CONNECTORNAME]`](#tray-cdk-connector-init-connectorname)
+* [`tray-cdk connector oauth2-token`](#tray-cdk-connector-oauth2-token)
 * [`tray-cdk connector test [OPERATIONNAME]`](#tray-cdk-connector-test-operationname)
 * [`tray-cdk deployment create`](#tray-cdk-deployment-create)
 * [`tray-cdk deployment get [CONNECTORNAME] [CONNECTORVERSION] [UUID]`](#tray-cdk-deployment-get-connectorname-connectorversion-uuid)
@@ -161,6 +162,42 @@ DESCRIPTION
   Initialize a connector project
 ```
 
+## `tray-cdk connector oauth2-token`
+
+Generate or refresh an OAuth2 token from .env and write it to src/test.ctx.json.
+
+```
+USAGE
+  $ tray-cdk connector oauth2-token [-c <value>] [-e <value>] [-g auto|client_credentials|authorization_code|device_code]
+    [-r] [--authorizeUrl <value>] [--redirectUri <value>] [--deviceCodeUrl <value>] [--openBrowser] [--tokenUrl <value>]
+    [--clientId <value>] [--clientSecret <value>] [--scope <value>] [--audience <value>] [--clientAuthMethod
+    basic|body|both] [--disablePkce] [-n]
+
+FLAGS
+  -c, --ctxPath=<value>            [default: src/test.ctx.json] Path to context JSON file
+  -e, --envPath=<value>            [default: .env] Path to .env file for sensitive credentials
+  -g, --grantType=<option>         [default: auto] OAuth2 grant type to use (auto infers from context)
+                                   <options: auto|client_credentials|authorization_code|device_code>
+  -n, --dryRun                     Do not write to file, just print the token JSON
+  -r, --refresh                    Use refresh token to get new access token
+      --audience=<value>           Override audience
+      --authorizeUrl=<value>       Override authorization URL
+      --clientAuthMethod=<option>  Client authentication method: basic (header), body (form), or both (default: body for
+                                   backwards compatibility)
+                                   <options: basic|body|both>
+      --clientId=<value>           Override client ID
+      --clientSecret=<value>       Override client secret
+      --deviceCodeUrl=<value>      Override device authorization URL
+      --disablePkce                Disable PKCE (Proof Key for Code Exchange) for providers that do not support it
+      --openBrowser                Open browser for interactive flows
+      --redirectUri=<value>        Override redirect URI for auth code
+      --scope=<value>              Override scope (space-separated)
+      --tokenUrl=<value>           Override token URL
+
+DESCRIPTION
+  Generate or refresh an OAuth2 token from .env and write it to src/test.ctx.json.
+```
+
 ## `tray-cdk connector test [OPERATIONNAME]`
 
 Build and test connector project or an operation

package/dist/commands/connector/oauth2-token.d.ts

@@ -0,0 +1,45 @@
+/**
+ * OAuth2 Token Command - Generate or refresh OAuth2 tokens
+ */
+import { Command } from '@oclif/core';
+export default class OAuth2Token extends Command {
+    static description: string;
+    static flags: {
+        readonly ctxPath: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly envPath: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly grantType: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly refresh: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        readonly authorizeUrl: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly redirectUri: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly deviceCodeUrl: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly openBrowser: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        readonly tokenUrl: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly clientId: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly clientSecret: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly scope: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly audience: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly clientAuthMethod: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        readonly disablePkce: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        readonly dryRun: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+    };
+    private http;
+    run(): Promise<void>;
+    /**
+     * Extract OAuth2 configuration from context, environment, and flags
+     * Precedence: flags > env > context file
+     */
+    private extractOAuth2Config;
+    /**
+     * Handle refresh token flow
+     */
+    private handleRefreshTokenFlow;
+    /**
+     * Determine which grant type to use
+     */
+    private determineGrantType;
+    /**
+     * Execute the appropriate grant type flow
+     */
+    private executeGrantTypeFlow;
+}
+//# sourceMappingURL=oauth2-token.d.ts.map

package/dist/commands/connector/oauth2-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-token.d.ts","sourceRoot":"","sources":["../../../src/commands/connector/oauth2-token.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,OAAO,EAAa,MAAM,aAAa,CAAC;AAsBjD,MAAM,CAAC,OAAO,OAAO,WAAY,SAAQ,OAAO;IAC/C,MAAM,CAAC,WAAW,SACkE;IAEpF,MAAM,CAAC,KAAK;;;;;;;;;;;;;;;;;MA0DD;IAEX,OAAO,CAAC,IAAI,CAAyB;IAE/B,GAAG;IA2CT;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IA6H3B;;OAEG;YACW,sBAAsB;IA6BpC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA2B1B;;OAEG;YACW,oBAAoB;CA2ClC"}

package/dist/commands/connector/oauth2-token.js

@@ -0,0 +1,243 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * OAuth2 Token Command - Generate or refresh OAuth2 tokens
+ */
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const O = __importStar(require("fp-ts/Option"));
+const function_1 = require("fp-ts/function");
+const path = __importStar(require("path"));
+const AxiosHttpClient_1 = require("@trayio/axios/http/AxiosHttpClient");
+const utils_1 = require("../../lib/oauth2-token/utils");
+const flows_1 = require("../../lib/oauth2-token/flows");
+const token_writer_1 = require("../../lib/oauth2-token/token-writer");
+class OAuth2Token extends core_1.Command {
+    static description = 'Generate or refresh an OAuth2 token from .env and write it to src/test.ctx.json.';
+    static flags = {
+        ctxPath: core_1.Flags.string({
+            char: 'c',
+            default: path.join('src', 'test.ctx.json'),
+            description: 'Path to context JSON file',
+        }),
+        envPath: core_1.Flags.string({
+            char: 'e',
+            default: '.env',
+            description: 'Path to .env file for sensitive credentials',
+        }),
+        grantType: core_1.Flags.string({
+            char: 'g',
+            options: [
+                'auto',
+                'client_credentials',
+                'authorization_code',
+                'device_code',
+            ],
+            default: 'auto',
+            description: 'OAuth2 grant type to use (auto infers from context)',
+        }),
+        refresh: core_1.Flags.boolean({
+            char: 'r',
+            default: false,
+            description: 'Use refresh token to get new access token',
+        }),
+        authorizeUrl: core_1.Flags.string({ description: 'Override authorization URL' }),
+        redirectUri: core_1.Flags.string({
+            description: 'Override redirect URI for auth code',
+        }),
+        deviceCodeUrl: core_1.Flags.string({
+            description: 'Override device authorization URL',
+        }),
+        openBrowser: core_1.Flags.boolean({
+            default: true,
+            description: 'Open browser for interactive flows',
+        }),
+        tokenUrl: core_1.Flags.string({ description: 'Override token URL' }),
+        clientId: core_1.Flags.string({ description: 'Override client ID' }),
+        clientSecret: core_1.Flags.string({ description: 'Override client secret' }),
+        scope: core_1.Flags.string({ description: 'Override scope (space-separated)' }),
+        audience: core_1.Flags.string({ description: 'Override audience' }),
+        clientAuthMethod: core_1.Flags.string({
+            options: ['basic', 'body', 'both'],
+            description: 'Client authentication method: basic (header), body (form), or both (default: body for backwards compatibility)',
+        }),
+        disablePkce: core_1.Flags.boolean({
+            default: false,
+            description: 'Disable PKCE (Proof Key for Code Exchange) for providers that do not support it',
+        }),
+        dryRun: core_1.Flags.boolean({
+            char: 'n',
+            default: false,
+            description: 'Do not write to file, just print the token JSON',
+        }),
+    };
+    http = new AxiosHttpClient_1.AxiosHttpClient();
+    async run() {
+        const { flags } = await this.parse(OAuth2Token);
+        const cwd = process.cwd();
+        const ctxPath = path.isAbsolute(flags.ctxPath)
+            ? flags.ctxPath
+            : path.join(cwd, flags.ctxPath);
+        const envPath = path.isAbsolute(flags.envPath)
+            ? flags.envPath
+            : path.join(cwd, flags.envPath);
+        this.log(chalk_1.default.bold(chalk_1.default.gray(`Reading ${ctxPath}...`)));
+        const ctx = await (0, utils_1.readJsonFile)(ctxPath);
+        // Load environment variables from .env file
+        const envConfig = await (0, utils_1.loadEnvConfig)(envPath);
+        // Extract OAuth2 configuration
+        const config = this.extractOAuth2Config(ctx, envConfig, flags);
+        // Handle refresh token flow
+        if (flags.refresh) {
+            return this.handleRefreshTokenFlow(config, ctx, envConfig, ctxPath, flags.dryRun);
+        }
+        // Determine and execute grant type flow
+        const selectedGrant = this.determineGrantType(config, ctx, flags.grantType);
+        await this.executeGrantTypeFlow(selectedGrant, config, ctxPath, ctx, flags.openBrowser, flags.dryRun);
+    }
+    /**
+     * Extract OAuth2 configuration from context, environment, and flags
+     * Precedence: flags > env > context file
+     */
+    extractOAuth2Config(ctx, envConfig, flags) {
+        const tokenUrl = flags.tokenUrl ||
+            (0, utils_1.getEnvValue)(envConfig, 'TOKEN_URL') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['token_url', 'tokenUrl', 'tokenEndpoint']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const authorizeUrl = flags.authorizeUrl ||
+            (0, utils_1.getEnvValue)(envConfig, 'AUTHORIZE_URL') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, [
+                'authorize_url',
+                'authorization_endpoint',
+                'authorizeUrl',
+            ]), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const deviceCodeUrl = flags.deviceCodeUrl ||
+            (0, utils_1.getEnvValue)(envConfig, 'DEVICE_CODE_URL') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, [
+                'device_code_url',
+                'device_authorization_endpoint',
+                'deviceAuthorizationUrl',
+                'device_authorization_url',
+            ]), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const clientId = flags.clientId ||
+            (0, utils_1.getEnvValue)(envConfig, 'CLIENT_ID') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['client_id', 'clientId']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const clientSecret = flags.clientSecret ||
+            (0, utils_1.getEnvValue)(envConfig, 'CLIENT_SECRET') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['client_secret', 'clientSecret']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const scope = flags.scope ||
+            (0, utils_1.getEnvValue)(envConfig, 'SCOPE') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['scope', 'scopes']), O.map((f) => Array.isArray(f.value) ? f.value.join(' ') : String(f.value)), O.getOrElse(() => ''));
+        const audience = flags.audience ||
+            (0, utils_1.getEnvValue)(envConfig, 'AUDIENCE') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['audience']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const redirectUri = flags.redirectUri ||
+            (0, utils_1.getEnvValue)(envConfig, 'REDIRECT_URI') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['redirect_uri', 'redirectUri']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const clientAuthMethod = flags.clientAuthMethod ||
+            (0, utils_1.getEnvValue)(envConfig, 'CLIENT_AUTH_METHOD') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['client_auth_method', 'clientAuthMethod']), O.map((f) => String(f.value)), O.getOrElse(() => 'body'));
+        const disablePkce = flags.disablePkce ||
+            (0, utils_1.getEnvValue)(envConfig, 'DISABLE_PKCE') === 'true' ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['disable_pkce', 'disablePkce']), O.map((f) => Boolean(f.value)), O.getOrElse(() => false));
+        return {
+            tokenUrl,
+            authorizeUrl: authorizeUrl || undefined,
+            deviceCodeUrl: deviceCodeUrl || undefined,
+            clientId,
+            clientSecret: clientSecret || undefined,
+            scope: scope || undefined,
+            audience: audience || undefined,
+            redirectUri: redirectUri || undefined,
+            clientAuthMethod: clientAuthMethod === 'basic' ||
+                clientAuthMethod === 'body' ||
+                clientAuthMethod === 'both'
+                ? clientAuthMethod
+                : 'body',
+            disablePkce,
+        };
+    }
+    /**
+     * Handle refresh token flow
+     */
+    async handleRefreshTokenFlow(config, ctx, envConfig, ctxPath, dryRun) {
+        const refreshToken = (0, utils_1.getEnvValue)(envConfig, 'REFRESH_TOKEN') ||
+            (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['refresh_token', 'refreshToken']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        const tokenResponse = await (0, flows_1.executeRefreshTokenFlow)(config, refreshToken, this.http);
+        if (dryRun) {
+            this.log(JSON.stringify(tokenResponse, null, 2));
+            return;
+        }
+        await (0, token_writer_1.writeTokens)(ctxPath, ctx, tokenResponse);
+    }
+    /**
+     * Determine which grant type to use
+     */
+    determineGrantType(config, ctx, flagGrantType) {
+        if (flagGrantType !== 'auto') {
+            return flagGrantType;
+        }
+        const ctxGrantType = (0, function_1.pipe)((0, utils_1.findFirstByKeys)(ctx, ['grant_type', 'grantType']), O.map((f) => String(f.value)), O.getOrElse(() => ''));
+        if (config.authorizeUrl) {
+            return 'authorization_code';
+        }
+        if (config.deviceCodeUrl) {
+            return 'device_code';
+        }
+        if (ctxGrantType) {
+            return ctxGrantType;
+        }
+        return 'client_credentials';
+    }
+    /**
+     * Execute the appropriate grant type flow
+     */
+    async executeGrantTypeFlow(grantType, config, ctxPath, ctx, openBrowser, dryRun) {
+        let tokenResponse;
+        switch (grantType) {
+            case 'client_credentials':
+                tokenResponse = await (0, flows_1.executeClientCredentialsFlow)(config, this.http);
+                break;
+            case 'authorization_code':
+                tokenResponse = await (0, flows_1.executeAuthorizationCodeFlow)(config, this.http, openBrowser);
+                break;
+            case 'device_code':
+                tokenResponse = await (0, flows_1.executeDeviceCodeFlow)(config, this.http, openBrowser);
+                break;
+            default:
+                this.error(new Error(`Unsupported grant type: ${grantType}`));
+                return;
+        }
+        if (dryRun) {
+            this.log(JSON.stringify(tokenResponse, null, 2));
+            return;
+        }
+        await (0, token_writer_1.writeTokens)(ctxPath, ctx, tokenResponse);
+    }
+}
+exports.default = OAuth2Token;

package/dist/commands/connector/oauth2-token.unit.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauth2-token.unit.test.d.ts.map

package/dist/commands/connector/oauth2-token.unit.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-token.unit.test.d.ts","sourceRoot":"","sources":["../../../src/commands/connector/oauth2-token.unit.test.ts"],"names":[],"mappings":""}