@uipath/auth 1.1.0 → 1.195.0

package/dist/authContext.d.ts

@@ -0,0 +1,17 @@
+export interface AuthContext {
+    baseUrl: string;
+    accessToken: string;
+    organizationId?: string;
+    organizationName?: string;
+    tenantId?: string;
+    tenantName?: string;
+}
+export interface GetAuthContextOptions {
+    tenant?: string;
+    ensureTokenValidityMinutes?: number;
+    requireOrganizationId?: boolean;
+    requireOrganizationName?: boolean;
+    requireTenantId?: boolean;
+    requireTenantName?: boolean;
+}
+export declare const getAuthContext: (options?: GetAuthContextOptions) => Promise<AuthContext>;

package/dist/catch-error.d.ts

@@ -0,0 +1,5 @@
+type CatchErrorResult<T> = [undefined, T] | [Error, undefined];
+export declare function catchError<T>(fnOrPromise: Promise<T>): Promise<CatchErrorResult<T>>;
+export declare function catchError<T>(fnOrPromise: () => Promise<T>): Promise<CatchErrorResult<T>>;
+export declare function catchError<T>(fnOrPromise: () => T): CatchErrorResult<T>;
+export {};

package/dist/clientCredentials.d.ts

@@ -0,0 +1,9 @@
+import type { BaseCredentials } from "./types";
+interface ClientCredentialsLoginProps {
+    clientId: string;
+    clientSecret: string;
+    scope?: string[];
+    authority?: string;
+}
+export declare const clientCredentialsLogin: ({ clientId, clientSecret, scope, authority, }: ClientCredentialsLoginProps) => Promise<BaseCredentials>;
+export {};

package/dist/config.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Auth-relevant slice of the on-disk CLI config. Auth itself does no
+ * filesystem I/O — the CLI loads `.uipath/config.json`, picks the `auth`
+ * section, and pushes it here via {@link setAuthFileConfig}. Tools that
+ * bundle their own copy of `@uipath/auth` see the same value because the
+ * slot is keyed by `Symbol.for()` on `globalThis`.
+ */
+export interface AuthFileConfig {
+    clientId?: string;
+    clientSecret?: string;
+    authority?: string;
+    scopes?: string[];
+}
+/**
+ * Push the resolved `auth.*` block of the on-disk config into auth.
+ * Called by the CLI host once at startup; safe to call repeatedly.
+ */
+export declare const setAuthFileConfig: (cfg: AuthFileConfig | undefined) => void;
+/**
+ * Error thrown when an invalid base URL is provided
+ */
+export declare class InvalidBaseUrlError extends Error {
+    readonly url: string;
+    readonly reason: string;
+    constructor(url: string, reason: string);
+}
+/**
+ * Default OAuth scopes requested during authentication.
+ *
+ * Identity is expected to expand the issued token to every scope granted
+ * to the CLI client (the "assistant pattern"), so the CLI only asks for
+ * the OIDC base set. Adding product-specific scopes here re-introduces
+ * per-deployment configuration coupling on Automation Suite, where each
+ * scope must be granted to the client in the Identity database.
+ */
+export declare const DEFAULT_SCOPES: string[];
+interface EndpointsConfig {
+    clientId: string;
+    clientSecret?: string;
+    baseUrl: string;
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    /**
+     * Effective scope list: caller-provided scope wins; file-config
+     * `auth.scopes` is the secondary fallback; {@link DEFAULT_SCOPES} the
+     * tertiary. Pre-resolved here so callers can trust a single source of
+     * truth instead of re-implementing the precedence at every call site.
+     */
+    scopes: string[];
+}
+interface ResolveConfigProps {
+    customAuthority?: string;
+    customClientId?: string;
+    customClientSecret?: string;
+    customScopes?: string[];
+}
+/**
+ * Normalize and validate a UiPath base URL.
+ *
+ * Applies the same rules used by the interactive login flow so every
+ * source of baseUrl (user config, env var, JWT `iss` claim) produces
+ * a canonical `https://<host>` string:
+ *   • strips a trailing `/identity_` or `/identity_/` (users paste the
+ *     full identity endpoint and we need just the authority);
+ *   • strips trailing slashes;
+ *   • validates the result as a parseable `https://` URL;
+ *   • strips any path segments — organization is carried separately.
+ *
+ * Throws {@link InvalidBaseUrlError} on any failure.
+ */
+export declare const normalizeAndValidateBaseUrl: (rawUrl: string) => string;
+export declare const resolveConfigAsync: ({ customAuthority, customClientId, customClientSecret, customScopes, }?: ResolveConfigProps) => Promise<EndpointsConfig>;
+export {};

package/dist/constants.d.ts

@@ -0,0 +1,10 @@
+/** Home directory for UiPath CLI auth data: ~/.uipath/ */
+export declare const UIPATH_HOME_DIR = ".uipath";
+/** Auth credentials filename within the UiPath home directory. */
+export declare const AUTH_FILENAME = ".auth";
+/** Default UiPath cloud base URL. */
+export declare const DEFAULT_BASE_URL = "https://cloud.uipath.com";
+/** Auth callback server timeout (5 minutes). */
+export declare const DEFAULT_AUTH_TIMEOUT_MS: number;
+/** Localhost OIDC redirect URI. */
+export declare const DEFAULT_REDIRECT_URI = "http://localhost:8104/oidc/login";

package/dist/envAuth.d.ts

@@ -0,0 +1,75 @@
+import type { LoginStatus } from "./loginStatus";
+/**
+ * Environment variable that opts the CLI into sourcing authentication
+ * data from env vars instead of the `.uipath/.auth` file. Must be set
+ * to the literal string `"true"`.
+ */
+export declare const ENV_AUTH_ENABLE_VAR = "UIPATH_CLI_ENABLE_ENV_AUTH";
+/**
+ * Environment variable that opts the CLI into Robot-IPC-only authentication.
+ * Must be set to the literal string `"true"`. When set:
+ *   - `~/.uipath/.auth` is **not consulted** (file lookup is skipped entirely;
+ *     a stale or expired file cannot block the Robot path).
+ *   - `UIPATH_CLI_ENABLE_ENV_AUTH=true` set in parallel raises
+ *     {@link EnvAuthConfigError} ("mutually exclusive flags") rather than
+ *     being silently overridden — the two opt-ins contradict each other and
+ *     the user must resolve the conflict.
+ *   - The Robot fallback runs first and is required to succeed.
+ *   - If the Robot is not running / not signed in, the CLI returns
+ *     `loginStatus: "Not logged in"` with a hint pointing at this env var
+ *     and the Assistant — no fallback to file or env-auth.
+ * Intended as a per-process opt-in (set on the spawned `uip` child only)
+ * for consumers like Studio Desktop that authenticate through the local
+ * Robot. See GH issue #2131.
+ */
+export declare const ENFORCE_ROBOT_AUTH_VAR = "UIPATH_CLI_ENFORCE_ROBOT_AUTH";
+/**
+ * Names of the env vars consumed when {@link ENV_AUTH_ENABLE_VAR} is
+ * enabled. The server URL (`baseUrl`) is not listed here — it is
+ * derived from the JWT's `iss` claim, which is the authoritative
+ * source for the authority that minted the token.
+ *
+ * NOTE: insertion order of these keys is the public ordering of the
+ * `Vars` array surfaced by `uip login which`. Reordering changes CLI
+ * output that programmatic consumers may parse positionally.
+ */
+export declare const ENV_AUTH_VARS: {
+    readonly token: "UIPATH_CLI_AUTH_TOKEN";
+    readonly organizationName: "UIPATH_CLI_ORGANIZATION_NAME";
+    readonly organizationId: "UIPATH_CLI_ORGANIZATION_ID";
+    readonly tenantName: "UIPATH_CLI_TENANT_NAME";
+    readonly tenantId: "UIPATH_CLI_TENANT_ID";
+};
+/**
+ * Error thrown when env-var auth is enabled but the configuration is
+ * incomplete or invalid. Surfaces the specific variable at fault so
+ * the user can correct the CI setup without guessing.
+ */
+export declare class EnvAuthConfigError extends Error {
+    constructor(message: string);
+}
+/**
+ * Whether env-var auth is active. Checked at the top of
+ * {@link getLoginStatusWithDeps} so that when the gate is off the
+ * existing file-based flow is entirely unaffected.
+ */
+export declare const isEnvAuthEnabled: () => boolean;
+/**
+ * Whether Robot-only enforcement is active. See {@link ENFORCE_ROBOT_AUTH_VAR}.
+ */
+export declare const isRobotAuthEnforced: () => boolean;
+/**
+ * Build a {@link LoginStatus} from environment variables, bypassing
+ * disk I/O and token refresh entirely.
+ *
+ * The access token is treated as opaque — whoever populated the env
+ * var is responsible for its freshness. If the token carries a JWT
+ * `exp` that has already passed, the status is reported as `Expired`
+ * (mirroring the file-based flow), but no refresh is attempted: there
+ * is no refresh token in the env-var contract and the CLI has no way
+ * to update a secret it did not mint.
+ *
+ * baseUrl is derived from the token's `iss` claim so the env-var set
+ * can stay aligned with the GH #1034 spec (five vars, no URL).
+ */
+export declare const readAuthFromEnv: () => LoginStatus;

package/dist/getBaseHtml.d.ts

@@ -0,0 +1,7 @@
+interface GetBaseHtmlProps {
+    title: string;
+    message: string;
+    type: "success" | "error";
+}
+export declare const getBaseHtml: ({ title, message, type }: GetBaseHtmlProps) => string;
+export {};

package/dist/index.browser.d.ts

@@ -0,0 +1,10 @@
+export * from "./authContext";
+export * from "./clientCredentials";
+export { type AuthFileConfig, InvalidBaseUrlError, setAuthFileConfig, } from "./config";
+export * from "./loginStatus";
+export * from "./logout";
+export { fetchTenantsAndOrganizations, type Tenant, type TenantsAndOrganizations, } from "./tenantSelection";
+export * from "./tokenRefresh";
+export type { BaseCredentials } from "./types";
+export { DEFAULT_AUTH_FILENAME, DEFAULT_ENV_FILENAME, type EnvFileErrorCode, type EnvFileLocation, type EnvFileSource, type EnvFileUnusable, type EnvFileUnusableReason, loadEnvFileAsync, resolveEnvFileLocationAsync, resolveEnvFilePathAsync, saveEnvFileAsync, } from "./utils/envFile";
+export { isBrowser, isNode } from "./utils/platform";

package/dist/index.browser.js

@@ -69,32 +69,7 @@ class InvalidBaseUrlError extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights",
-  "ReferenceToken",
-  "Audit.Read"
-];
+var DEFAULT_SCOPES = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -144,7 +119,8 @@ var resolveConfigAsync = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES;
   return {
     clientId,
     clientSecret,
@@ -653,6 +629,129 @@ function normalizeTokenRefreshFailure() {
 function normalizeTokenRefreshUnavailableFailure() {
   return "token refresh failed before authentication completed";
 }
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage(error)}`
+        }
+      }
+    };
+  }
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
 var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync,
@@ -727,73 +826,103 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs = getFs();
+    const globalPath = fs.path.join(fs.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
-    } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
-      return {
-        loginStatus: "Refresh Failed",
-        hint,
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage
-        }
-      };
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
     }
-    const refreshedExp = getTokenExpiration(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
+    } catch (error) {
+      const msg = errorMessage(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file" /* File */,
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
+    let lockedFailure;
     try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
+      const outcome = await runRefreshLocked({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig
       });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
+        }
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
+    }
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -808,23 +937,13 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     expiration,
     source: "file" /* File */,
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs = getFs();
-    const globalPath = fs.path.join(fs.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -884,9 +1003,11 @@ var clientCredentialsLogin = async ({
   const params = {
     grant_type: "client_credentials",
     client_id: config.clientId,
-    client_secret: config.clientSecret ?? "",
-    scope: config.scopes.join(" ")
+    client_secret: config.clientSecret ?? ""
   };
+  if (config.scopes.length > 0) {
+    params.scope = config.scopes.join(" ");
+  }
   const tokenResponse = await fetch(config.tokenEndpoint, {
     method: "POST",
     headers: {
@@ -933,7 +1054,21 @@ async function logoutWithDeps(options, deps = {}) {
   const fs = getFs();
   const { absolutePath } = await resolveEnvFilePath(options.file);
   if (absolutePath && await fs.exists(absolutePath)) {
-    await fs.rm(absolutePath);
+    let release;
+    try {
+      if (typeof fs.acquireLock === "function") {
+        release = await fs.acquireLock(absolutePath);
+      }
+    } catch {
+      release = undefined;
+    }
+    try {
+      await fs.rm(absolutePath);
+    } finally {
+      if (release) {
+        await release().catch(() => {});
+      }
+    }
     return {
       success: true,
       message: `Logged out successfully. Removed ${absolutePath}`,

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+export * from "./authContext";
+export * from "./clientCredentials";
+export { type AuthFileConfig, InvalidBaseUrlError, setAuthFileConfig, } from "./config";
+export { ENFORCE_ROBOT_AUTH_VAR, ENV_AUTH_ENABLE_VAR, ENV_AUTH_VARS, EnvAuthConfigError, isEnvAuthEnabled, isRobotAuthEnforced, readAuthFromEnv, } from "./envAuth";
+export * from "./interactive";
+export * from "./loginStatus";
+export * from "./logout";
+export { type SelectFromList, selectTenantWithDeps } from "./selectTenant";
+export { AUTH_TIMEOUT_ERROR_CODE } from "./server";
+export { fetchTenantsAndOrganizations, type Tenant, type TenantsAndOrganizations, } from "./tenantSelection";
+export * from "./tokenRefresh";
+export type { BaseCredentials } from "./types";
+export { DEFAULT_AUTH_FILENAME, DEFAULT_ENV_FILENAME, type EnvFileErrorCode, type EnvFileLocation, type EnvFileSource, type EnvFileUnusable, type EnvFileUnusableReason, loadEnvFileAsync, resolveEnvFileLocationAsync, resolveEnvFilePathAsync, saveEnvFileAsync, } from "./utils/envFile";
+export { parseJWT } from "./utils/jwt";
+export { isBrowser, isNode } from "./utils/platform";
+interface AuthenticateOptions {
+    baseUrl?: string;
+    clientId?: string;
+    clientSecret?: string;
+    redirectUri?: URL;
+    scope?: string[];
+    organization?: string;
+}
+export declare const authenticate: ({ baseUrl, clientId, clientSecret, redirectUri, scope, organization, }: AuthenticateOptions) => Promise<{
+    accessToken: string;
+    refreshToken: string;
+}>;