@trayio/cdk-cli 5.5.0 → 5.6.0

package/dist/lib/oauth2-token/flows/authorization-code.d.ts

@@ -0,0 +1,4 @@
+import { AxiosHttpClient } from '@trayio/axios/http/AxiosHttpClient';
+import { OAuth2Config, TokenResponse } from '../types';
+export declare const executeAuthorizationCodeFlow: (config: OAuth2Config, httpClient: AxiosHttpClient, shouldOpenBrowser: boolean) => Promise<TokenResponse>;
+//# sourceMappingURL=authorization-code.d.ts.map

package/dist/lib/oauth2-token/flows/authorization-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization-code.d.ts","sourceRoot":"","sources":["../../../../src/lib/oauth2-token/flows/authorization-code.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAOrE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKvD,eAAO,MAAM,4BAA4B,WAChC,YAAY,cACR,eAAe,qBACR,OAAO,KACxB,QAAQ,aAAa,CAiEvB,CAAC"}

package/dist/lib/oauth2-token/flows/authorization-code.js

@@ -0,0 +1,218 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeAuthorizationCodeFlow = void 0;
+/**
+ * OAuth2 Authorization Code Flow with PKCE
+ */
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const http = __importStar(require("http"));
+const inquirer = __importStar(require("inquirer"));
+const Http_1 = require("@trayio/commons/http/Http");
+const BufferExtensions_1 = require("@trayio/commons/buffer/BufferExtensions");
+const crypto_1 = require("../utils/crypto");
+const browser_1 = require("../utils/browser");
+const url_1 = require("../utils/url");
+const executeAuthorizationCodeFlow = async (config, httpClient, shouldOpenBrowser) => {
+    if (!config.tokenUrl || !config.clientId || !config.authorizeUrl) {
+        throw new Error('Missing required parameters: tokenUrl, clientId, and authorizeUrl are required for authorization_code flow');
+    }
+    // Validate URLs are absolute
+    try {
+        const _tokenUrl = new URL(config.tokenUrl);
+    }
+    catch {
+        throw new Error(`Invalid tokenUrl: "${config.tokenUrl}" - must be an absolute URL (e.g., https://example.com/oauth/token)`);
+    }
+    try {
+        const _authorizeUrl = new URL(config.authorizeUrl);
+    }
+    catch {
+        throw new Error(`Invalid authorizeUrl: "${config.authorizeUrl}" - must be an absolute URL (e.g., https://example.com/oauth/authorize)`);
+    }
+    const redirectUri = config.redirectUri || 'http://127.0.0.1:3400/callback';
+    // Generate PKCE if not disabled
+    const pkce = config.disablePkce ? null : (0, crypto_1.generatePkce)();
+    const state = (0, crypto_1.generateState)();
+    const authUrl = new URL(config.authorizeUrl);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('client_id', config.clientId);
+    authUrl.searchParams.set('redirect_uri', redirectUri);
+    if (config.scope)
+        authUrl.searchParams.set('scope', config.scope);
+    if (config.audience)
+        authUrl.searchParams.set('audience', config.audience);
+    // Add PKCE parameters if enabled
+    if (pkce) {
+        authUrl.searchParams.set('code_challenge', pkce.challenge);
+        authUrl.searchParams.set('code_challenge_method', 'S256');
+    }
+    authUrl.searchParams.set('state', state);
+    let code = '';
+    if (shouldOpenBrowser) {
+        // eslint-disable-next-line no-console
+        console.log(chalk_1.default.gray('Opening browser for authorization...'));
+        (0, browser_1.openBrowser)(authUrl.toString());
+    }
+    if ((0, url_1.isLocalhostRedirect)(redirectUri)) {
+        code = await startLocalCallbackServer(redirectUri, state);
+    }
+    else {
+        code = await promptForRedirectUrl(state);
+    }
+    core_1.ux.action.start('Exchanging code for tokens');
+    return exchangeCodeForTokens(config, code, redirectUri, pkce?.verifier, httpClient);
+};
+exports.executeAuthorizationCodeFlow = executeAuthorizationCodeFlow;
+/**
+ * Start a local HTTP server to capture the OAuth callback
+ */
+const startLocalCallbackServer = async (redirectUri, state) => new Promise((resolve, reject) => {
+    const redirect = new URL(redirectUri);
+    const server = http.createServer((req, res) => {
+        try {
+            if (!req.url)
+                return;
+            const received = new URL(req.url, redirect.origin);
+            if (received.pathname !== redirect.pathname)
+                return;
+            const rcvdState = received.searchParams.get('state') || '';
+            const codeParam = received.searchParams.get('code') || '';
+            if (!codeParam)
+                throw new Error('Missing code in redirect');
+            if (rcvdState !== state)
+                throw new Error('State mismatch');
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end('<html><body>Authorization complete. You can close this tab.</body></html>');
+            server.close(() => resolve(codeParam));
+        }
+        catch (err) {
+            server.close(() => reject(err));
+        }
+    });
+    server.listen(Number(redirect.port) || 3400, redirect.hostname, () => {
+        // server ready
+    });
+});
+/**
+ * Prompt user to manually paste the redirect URL (for non-localhost redirects)
+ */
+const promptForRedirectUrl = async (state) => {
+    // eslint-disable-next-line no-console
+    console.log(chalk_1.default.yellow('Redirect URI is not localhost. Complete the flow and paste the resulting redirect URL.'));
+    const { pastedUrl } = await inquirer.prompt([
+        {
+            name: 'pastedUrl',
+            message: 'Paste the full redirect URL:',
+            type: 'input',
+        },
+    ]);
+    const received = new URL(String(pastedUrl));
+    const rcvdState = received.searchParams.get('state') || '';
+    const code = received.searchParams.get('code') || '';
+    if (!code)
+        throw new Error('Missing code in URL');
+    if (state && rcvdState && rcvdState !== state) {
+        throw new Error('State mismatch');
+    }
+    return code;
+};
+/**
+ * Exchange authorization code for access token
+ */
+const exchangeCodeForTokens = async (config, code, redirectUri, verifier, httpClient) => {
+    const formParams = new URLSearchParams();
+    formParams.set('grant_type', 'authorization_code');
+    formParams.set('code', code);
+    formParams.set('redirect_uri', redirectUri);
+    // Only include PKCE verifier if it was generated
+    if (verifier) {
+        formParams.set('code_verifier', verifier);
+    }
+    // Build headers
+    const headers = {
+        'Content-Type': Http_1.HttpContentType.FormUrlEncoded,
+        Accept: Http_1.HttpContentType.Json,
+    };
+    // Determine client authentication method (default to 'body' for backwards compatibility)
+    const authMethod = config.clientAuthMethod || 'body';
+    // Add client credentials based on authentication method
+    if (config.clientSecret) {
+        switch (authMethod) {
+            case 'basic':
+                // HTTP Basic Authentication - send credentials ONLY in Authorization header
+                // Do NOT include in body per OAuth2 spec for confidential clients
+                const credentials = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64');
+                headers.Authorization = `Basic ${credentials}`;
+                break;
+            case 'both':
+                // Send credentials in both header and body (some providers accept either)
+                const credentialsBoth = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64');
+                headers.Authorization = `Basic ${credentialsBoth}`;
+                formParams.set('client_id', config.clientId);
+                formParams.set('client_secret', config.clientSecret);
+                break;
+            case 'body':
+            default:
+                // Send credentials in request body (default, backwards compatible)
+                formParams.set('client_id', config.clientId);
+                formParams.set('client_secret', config.clientSecret);
+                break;
+        }
+    }
+    else {
+        // No client secret - public client
+        formParams.set('client_id', config.clientId);
+    }
+    const request = Http_1.HttpRequest.create({
+        headers,
+        pathParams: {},
+        queryString: {},
+        body: Buffer.from(formParams.toString()),
+    });
+    const responseE = await httpClient.execute(Http_1.HttpMethod.Post, config.tokenUrl, request)();
+    if (responseE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw responseE.left;
+    }
+    const bodyBufferE = await BufferExtensions_1.BufferExtensions.readableToArrayBuffer(responseE.right.body)();
+    if (bodyBufferE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw bodyBufferE.left;
+    }
+    const tokenResponse = JSON.parse(Buffer.from(bodyBufferE.right).toString('utf-8'));
+    if (!tokenResponse.access_token) {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        // eslint-disable-next-line no-console
+        console.error(chalk_1.default.red('\nToken response from server:'), JSON.stringify(tokenResponse, null, 2));
+        throw new Error(`No access_token in token response. Server returned: ${JSON.stringify(tokenResponse)}`);
+    }
+    core_1.ux.action.stop(chalk_1.default.green('done'));
+    return tokenResponse;
+};

package/dist/lib/oauth2-token/flows/client-credentials.d.ts

@@ -0,0 +1,4 @@
+import { AxiosHttpClient } from '@trayio/axios/http/AxiosHttpClient';
+import { OAuth2Config, TokenResponse } from '../types';
+export declare const executeClientCredentialsFlow: (config: OAuth2Config, http: AxiosHttpClient) => Promise<TokenResponse>;
+//# sourceMappingURL=client-credentials.d.ts.map

package/dist/lib/oauth2-token/flows/client-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials.d.ts","sourceRoot":"","sources":["../../../../src/lib/oauth2-token/flows/client-credentials.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAOrE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEvD,eAAO,MAAM,4BAA4B,WAChC,YAAY,QACd,eAAe,KACnB,QAAQ,aAAa,CAqDvB,CAAC"}

package/dist/lib/oauth2-token/flows/client-credentials.js

@@ -0,0 +1,55 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeClientCredentialsFlow = void 0;
+/**
+ * OAuth2 Client Credentials Flow
+ */
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const Http_1 = require("@trayio/commons/http/Http");
+const BufferExtensions_1 = require("@trayio/commons/buffer/BufferExtensions");
+const executeClientCredentialsFlow = async (config, http) => {
+    if (!config.tokenUrl || !config.clientId || !config.clientSecret) {
+        throw new Error('Missing required parameters: tokenUrl, clientId, and clientSecret are required for client_credentials flow');
+    }
+    core_1.ux.action.start('Requesting OAuth2 token (client_credentials)');
+    const formParams = new URLSearchParams();
+    formParams.set('grant_type', 'client_credentials');
+    formParams.set('client_id', config.clientId);
+    formParams.set('client_secret', config.clientSecret);
+    if (config.scope)
+        formParams.set('scope', config.scope);
+    if (config.audience)
+        formParams.set('audience', config.audience);
+    const request = Http_1.HttpRequest.create({
+        headers: {
+            'Content-Type': Http_1.HttpContentType.FormUrlEncoded,
+            Accept: Http_1.HttpContentType.Json,
+        },
+        pathParams: {},
+        queryString: {},
+        body: Buffer.from(formParams.toString()),
+    });
+    const responseE = await http.execute(Http_1.HttpMethod.Post, config.tokenUrl, request)();
+    if (responseE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw responseE.left;
+    }
+    const bodyBufferE = await BufferExtensions_1.BufferExtensions.readableToArrayBuffer(responseE.right.body)();
+    if (bodyBufferE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw bodyBufferE.left;
+    }
+    const jsonText = Buffer.from(bodyBufferE.right).toString('utf-8');
+    const tokenResponse = JSON.parse(jsonText);
+    if (!tokenResponse.access_token) {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw new Error('No access_token in token response');
+    }
+    core_1.ux.action.stop(chalk_1.default.green('done'));
+    return tokenResponse;
+};
+exports.executeClientCredentialsFlow = executeClientCredentialsFlow;

package/dist/lib/oauth2-token/flows/device-code.d.ts

@@ -0,0 +1,4 @@
+import { AxiosHttpClient } from '@trayio/axios/http/AxiosHttpClient';
+import { OAuth2Config, TokenResponse } from '../types';
+export declare const executeDeviceCodeFlow: (config: OAuth2Config, httpClient: AxiosHttpClient, shouldOpenBrowser: boolean) => Promise<TokenResponse>;
+//# sourceMappingURL=device-code.d.ts.map

package/dist/lib/oauth2-token/flows/device-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../../../src/lib/oauth2-token/flows/device-code.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAOrE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAa,MAAM,UAAU,CAAC;AAIlE,eAAO,MAAM,qBAAqB,WACzB,YAAY,cACR,eAAe,qBACR,OAAO,KACxB,QAAQ,aAAa,CAevB,CAAC"}

package/dist/lib/oauth2-token/flows/device-code.js

@@ -0,0 +1,143 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeDeviceCodeFlow = void 0;
+/**
+ * OAuth2 Device Code Flow
+ */
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const Http_1 = require("@trayio/commons/http/Http");
+const BufferExtensions_1 = require("@trayio/commons/buffer/BufferExtensions");
+const browser_1 = require("../utils/browser");
+const url_1 = require("../utils/url");
+const executeDeviceCodeFlow = async (config, httpClient, shouldOpenBrowser) => {
+    if (!config.tokenUrl || !config.clientId || !config.deviceCodeUrl) {
+        throw new Error('Missing required parameters: tokenUrl, clientId, and deviceCodeUrl are required for device_code flow');
+    }
+    // Step 1: Initialize device authorization
+    const deviceInit = await initializeDeviceAuthorization(config, httpClient);
+    // Step 2: Display user code and verification URL
+    displayDeviceAuthInstructions(deviceInit, shouldOpenBrowser);
+    // Step 3: Poll for token
+    return pollForDeviceToken(config, deviceInit, httpClient);
+};
+exports.executeDeviceCodeFlow = executeDeviceCodeFlow;
+/**
+ * Initialize device authorization and get device code
+ */
+const initializeDeviceAuthorization = async (config, httpClient) => {
+    core_1.ux.action.start('Starting device authorization');
+    const initParams = new URLSearchParams();
+    initParams.set('client_id', config.clientId);
+    if (config.clientSecret)
+        initParams.set('client_secret', config.clientSecret);
+    if (config.scope)
+        initParams.set('scope', config.scope);
+    if (config.audience)
+        initParams.set('audience', config.audience);
+    const request = Http_1.HttpRequest.create({
+        headers: {
+            'Content-Type': Http_1.HttpContentType.FormUrlEncoded,
+            Accept: Http_1.HttpContentType.Json,
+        },
+        pathParams: {},
+        queryString: {},
+        body: Buffer.from(initParams.toString()),
+    });
+    const responseE = await httpClient.execute(Http_1.HttpMethod.Post, config.deviceCodeUrl, request)();
+    if (responseE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw responseE.left;
+    }
+    const bodyBufferE = await BufferExtensions_1.BufferExtensions.readableToArrayBuffer(responseE.right.body)();
+    if (bodyBufferE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw bodyBufferE.left;
+    }
+    const deviceInit = JSON.parse(Buffer.from(bodyBufferE.right).toString('utf-8'));
+    core_1.ux.action.stop(chalk_1.default.green('done'));
+    return deviceInit;
+};
+/**
+ * Display user code and verification URL instructions
+ */
+const displayDeviceAuthInstructions = (deviceInit, shouldOpenBrowser) => {
+    const verificationUri = deviceInit.verification_uri || deviceInit.verification_uri_complete;
+    const verificationUriComplete = deviceInit.verification_uri_complete;
+    // eslint-disable-next-line no-console
+    console.log(chalk_1.default.gray(`User code: ${deviceInit.user_code}`));
+    // eslint-disable-next-line no-console
+    console.log(chalk_1.default.gray(`Visit: ${verificationUri}`));
+    if (shouldOpenBrowser && verificationUriComplete) {
+        (0, browser_1.openBrowser)(verificationUriComplete);
+    }
+};
+/**
+ * Poll token endpoint until authorization is complete
+ */
+const pollForDeviceToken = async (config, deviceInit, httpClient) => {
+    const expiresIn = Number(deviceInit.expires_in) || 900;
+    let intervalMs = (Number(deviceInit.interval) || 5) * 1000;
+    const deadline = Date.now() + expiresIn * 1000;
+    core_1.ux.action.start('Waiting for user authorization');
+    /* eslint-disable no-await-in-loop */
+    while (Date.now() < deadline) {
+        const pollParams = new URLSearchParams();
+        pollParams.set('grant_type', 'urn:ietf:params:oauth:grant-type:device_code');
+        pollParams.set('device_code', deviceInit.device_code);
+        pollParams.set('client_id', config.clientId);
+        if (config.clientSecret) {
+            pollParams.set('client_secret', config.clientSecret);
+        }
+        const request = Http_1.HttpRequest.create({
+            headers: {
+                'Content-Type': Http_1.HttpContentType.FormUrlEncoded,
+                Accept: Http_1.HttpContentType.Json,
+            },
+            pathParams: {},
+            queryString: {},
+            body: Buffer.from(pollParams.toString()),
+        });
+        const responseE = await httpClient.execute(Http_1.HttpMethod.Post, config.tokenUrl, request)();
+        if (responseE._tag === 'Left') {
+            core_1.ux.action.stop(chalk_1.default.red('failed'));
+            throw responseE.left;
+        }
+        const bodyBufferE = await BufferExtensions_1.BufferExtensions.readableToArrayBuffer(responseE.right.body)();
+        if (bodyBufferE._tag === 'Left') {
+            core_1.ux.action.stop(chalk_1.default.red('failed'));
+            throw bodyBufferE.left;
+        }
+        const pollResponse = JSON.parse(Buffer.from(bodyBufferE.right).toString('utf-8'));
+        if (pollResponse.access_token) {
+            core_1.ux.action.stop(chalk_1.default.green('done'));
+            return pollResponse;
+        }
+        const err = String(pollResponse.error || 'authorization_pending');
+        if (err === 'authorization_pending') {
+            await (0, url_1.sleep)(intervalMs);
+        }
+        else if (err === 'slow_down') {
+            intervalMs += 5000;
+            await (0, url_1.sleep)(intervalMs);
+        }
+        else if (err === 'access_denied') {
+            core_1.ux.action.stop(chalk_1.default.red('denied'));
+            throw new Error('User denied the request');
+        }
+        else if (err === 'expired_token' || err === 'expired') {
+            core_1.ux.action.stop(chalk_1.default.red('expired'));
+            throw new Error('The device code has expired');
+        }
+        else {
+            // Unknown error; wait a bit and try again
+            await (0, url_1.sleep)(intervalMs);
+        }
+    }
+    /* eslint-enable no-await-in-loop */
+    core_1.ux.action.stop(chalk_1.default.red('timeout'));
+    throw new Error('Timed out waiting for device authorization');
+};

package/dist/lib/oauth2-token/flows/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * OAuth2 Flow handlers
+ */
+export { executeClientCredentialsFlow } from './client-credentials';
+export { executeAuthorizationCodeFlow } from './authorization-code';
+export { executeDeviceCodeFlow } from './device-code';
+export { executeRefreshTokenFlow } from './refresh-token';
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/oauth2-token/flows/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/lib/oauth2-token/flows/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,4BAA4B,EAAE,MAAM,sBAAsB,CAAC;AACpE,OAAO,EAAE,4BAA4B,EAAE,MAAM,sBAAsB,CAAC;AACpE,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/lib/oauth2-token/flows/index.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeRefreshTokenFlow = exports.executeDeviceCodeFlow = exports.executeAuthorizationCodeFlow = exports.executeClientCredentialsFlow = void 0;
+/**
+ * OAuth2 Flow handlers
+ */
+var client_credentials_1 = require("./client-credentials");
+Object.defineProperty(exports, "executeClientCredentialsFlow", { enumerable: true, get: function () { return client_credentials_1.executeClientCredentialsFlow; } });
+var authorization_code_1 = require("./authorization-code");
+Object.defineProperty(exports, "executeAuthorizationCodeFlow", { enumerable: true, get: function () { return authorization_code_1.executeAuthorizationCodeFlow; } });
+var device_code_1 = require("./device-code");
+Object.defineProperty(exports, "executeDeviceCodeFlow", { enumerable: true, get: function () { return device_code_1.executeDeviceCodeFlow; } });
+var refresh_token_1 = require("./refresh-token");
+Object.defineProperty(exports, "executeRefreshTokenFlow", { enumerable: true, get: function () { return refresh_token_1.executeRefreshTokenFlow; } });

package/dist/lib/oauth2-token/flows/refresh-token.d.ts

@@ -0,0 +1,4 @@
+import { AxiosHttpClient } from '@trayio/axios/http/AxiosHttpClient';
+import { OAuth2Config, TokenResponse } from '../types';
+export declare const executeRefreshTokenFlow: (config: OAuth2Config, refreshToken: string, http: AxiosHttpClient) => Promise<TokenResponse>;
+//# sourceMappingURL=refresh-token.d.ts.map

package/dist/lib/oauth2-token/flows/refresh-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token.d.ts","sourceRoot":"","sources":["../../../../src/lib/oauth2-token/flows/refresh-token.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAOrE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEvD,eAAO,MAAM,uBAAuB,WAC3B,YAAY,gBACN,MAAM,QACd,eAAe,KACnB,QAAQ,aAAa,CA4DvB,CAAC"}

package/dist/lib/oauth2-token/flows/refresh-token.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeRefreshTokenFlow = void 0;
+/**
+ * OAuth2 Refresh Token Flow
+ */
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const Http_1 = require("@trayio/commons/http/Http");
+const BufferExtensions_1 = require("@trayio/commons/buffer/BufferExtensions");
+const executeRefreshTokenFlow = async (config, refreshToken, http) => {
+    if (!refreshToken) {
+        throw new Error('No refresh token found in context file. Run without --refresh flag to obtain initial tokens.');
+    }
+    if (!config.tokenUrl || !config.clientId) {
+        throw new Error('Unable to locate tokenUrl or clientId. Provide overrides with flags or include them in your test.ctx.json.');
+    }
+    core_1.ux.action.start('Refreshing OAuth2 token');
+    const formParams = new URLSearchParams();
+    formParams.set('grant_type', 'refresh_token');
+    formParams.set('refresh_token', refreshToken);
+    formParams.set('client_id', config.clientId);
+    if (config.clientSecret)
+        formParams.set('client_secret', config.clientSecret);
+    if (config.scope)
+        formParams.set('scope', config.scope);
+    if (config.audience)
+        formParams.set('audience', config.audience);
+    const request = Http_1.HttpRequest.create({
+        headers: {
+            'Content-Type': Http_1.HttpContentType.FormUrlEncoded,
+            Accept: Http_1.HttpContentType.Json,
+        },
+        pathParams: {},
+        queryString: {},
+        body: Buffer.from(formParams.toString()),
+    });
+    const responseE = await http.execute(Http_1.HttpMethod.Post, config.tokenUrl, request)();
+    if (responseE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw responseE.left;
+    }
+    const bodyBufferE = await BufferExtensions_1.BufferExtensions.readableToArrayBuffer(responseE.right.body)();
+    if (bodyBufferE._tag === 'Left') {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw bodyBufferE.left;
+    }
+    const jsonText = Buffer.from(bodyBufferE.right).toString('utf-8');
+    const tokenResponse = JSON.parse(jsonText);
+    if (!tokenResponse.access_token) {
+        core_1.ux.action.stop(chalk_1.default.red('failed'));
+        throw new Error('No access_token in refresh response');
+    }
+    core_1.ux.action.stop(chalk_1.default.green('done'));
+    return tokenResponse;
+};
+exports.executeRefreshTokenFlow = executeRefreshTokenFlow;

package/dist/lib/oauth2-token/token-writer.d.ts

@@ -0,0 +1,7 @@
+import { AnyObject, TokenResponse } from './types';
+/**
+ * Write OAuth2 tokens to context file
+ * Attempts to find the appropriate location (near client credentials) or falls back to auth.user, then root
+ */
+export declare const writeTokens: (ctxPath: string, ctx: AnyObject, tokenResponse: TokenResponse) => Promise<void>;
+//# sourceMappingURL=token-writer.d.ts.map

package/dist/lib/oauth2-token/token-writer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-writer.d.ts","sourceRoot":"","sources":["../../../src/lib/oauth2-token/token-writer.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAInD;;;GAGG;AACH,eAAO,MAAM,WAAW,YACd,MAAM,OACV,SAAS,iBACC,aAAa,KAC1B,QAAQ,IAAI,CAmDd,CAAC"}

package/dist/lib/oauth2-token/token-writer.js

@@ -0,0 +1,83 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeTokens = void 0;
+/**
+ * Token writer - responsible for writing OAuth2 tokens back to context file
+ */
+const chalk_1 = __importDefault(require("chalk"));
+const O = __importStar(require("fp-ts/Option"));
+const function_1 = require("fp-ts/function");
+const json_1 = require("./utils/json");
+const file_1 = require("./utils/file");
+/**
+ * Write OAuth2 tokens to context file
+ * Attempts to find the appropriate location (near client credentials) or falls back to auth.user, then root
+ */
+const writeTokens = async (ctxPath, ctx, tokenResponse) => {
+    // Decide where to write access_token: prefer the object that contains client credentials
+    const credsContainerOpt = (0, function_1.pipe)((0, json_1.findFirstByKeys)(ctx, ['client_secret', 'clientSecret']), O.alt(() => (0, json_1.findFirstByKeys)(ctx, ['client_id', 'clientId'])), O.alt(() => (0, json_1.findFirstByKeys)(ctx, ['token_url', 'tokenUrl', 'tokenEndpoint'])));
+    // Determine the container to write tokens to
+    let container;
+    if (O.isSome(credsContainerOpt)) {
+        // Found client credentials, use that parent object
+        container = credsContainerOpt.value.parent;
+    }
+    else if (ctx.auth &&
+        typeof ctx.auth === 'object' &&
+        ctx.auth.user &&
+        typeof ctx.auth.user === 'object') {
+        // Look for auth.user object as fallback
+        container = ctx.auth.user;
+    }
+    else if (ctx.user && typeof ctx.user === 'object') {
+        // Also check for user at root level
+        container = ctx.user;
+    }
+    else {
+        // Final fallback: write to root
+        container = ctx;
+    }
+    // Write the tokens to the determined container
+    container.access_token = tokenResponse.access_token;
+    if (tokenResponse.refresh_token) {
+        container.refresh_token = tokenResponse.refresh_token;
+    }
+    if (typeof tokenResponse.expires_in === 'number') {
+        container.expires_in = tokenResponse.expires_in;
+        container.expires_at =
+            Math.floor(Date.now() / 1000) + tokenResponse.expires_in;
+    }
+    if (tokenResponse.token_type) {
+        container.token_type = tokenResponse.token_type;
+    }
+    await (0, file_1.writeJsonFile)(ctxPath, ctx);
+    // eslint-disable-next-line no-console
+    console.log(chalk_1.default.bold(chalk_1.default.green('Access token written to test context file')));
+};
+exports.writeTokens = writeTokens;