@uipath/auth 1.1.0 → 1.196.0

package/dist/authContext.d.ts

@@ -0,0 +1,39 @@
+import { type GetLoginStatusOptions, type LoginStatus } from "./loginStatus";
+export interface AuthContext {
+    baseUrl: string;
+    accessToken: string;
+    organizationId?: string;
+    organizationName?: string;
+    tenantId?: string;
+    tenantName?: string;
+}
+export interface GetAuthContextOptions {
+    tenant?: string;
+    ensureTokenValidityMinutes?: number;
+    requireOrganizationId?: boolean;
+    requireOrganizationName?: boolean;
+    requireTenantId?: boolean;
+    requireTenantName?: boolean;
+    /**
+     * Resolve credentials from this exact `.uipath/.auth` path instead of the
+     * default cwd→ancestors→home walk-up. Lets an in-process host (e.g. the VS
+     * Code extension) pin auth to a specific file — the same `envFilePath`
+     * {@link getLoginStatusAsync} already accepts — so concurrent operations
+     * against different credential files don't cross-contaminate.
+     */
+    envFilePath?: string;
+}
+export declare const getAuthContext: (options?: GetAuthContextOptions) => Promise<AuthContext>;
+export interface AuthEnvResult {
+    /** UiPath credential env vars to merge into a subprocess env. Empty when not logged in. */
+    authEnv: Record<string, string>;
+    /** The login status used to build {@link authEnv}, or undefined when it could not be read. */
+    loginStatus?: LoginStatus;
+}
+/**
+ * Build UiPath credential env vars from the live `uip login` status, for
+ * injecting into a spawned process. The token is refreshed so the child gets
+ * a valid bearer token, not a stale one off disk. Never throws: returns an
+ * empty `authEnv` when there is no usable login.
+ */
+export declare const getAuthEnv: (options?: GetLoginStatusOptions) => Promise<AuthEnvResult>;

package/dist/catch-error.d.ts

@@ -0,0 +1,5 @@
+type CatchErrorResult<T> = [undefined, T] | [Error, undefined];
+export declare function catchError<T>(fnOrPromise: Promise<T>): Promise<CatchErrorResult<T>>;
+export declare function catchError<T>(fnOrPromise: () => Promise<T>): Promise<CatchErrorResult<T>>;
+export declare function catchError<T>(fnOrPromise: () => T): CatchErrorResult<T>;
+export {};

package/dist/clientCredentials.d.ts

@@ -0,0 +1,9 @@
+import type { BaseCredentials } from "./types";
+interface ClientCredentialsLoginProps {
+    clientId: string;
+    clientSecret: string;
+    scope?: string[];
+    authority?: string;
+}
+export declare const clientCredentialsLogin: ({ clientId, clientSecret, scope, authority, }: ClientCredentialsLoginProps) => Promise<BaseCredentials>;
+export {};

package/dist/config.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Auth-relevant slice of the on-disk CLI config. Auth itself does no
+ * filesystem I/O — the CLI loads `.uipath/config.json`, picks the `auth`
+ * section, and pushes it here via {@link setAuthFileConfig}. Tools that
+ * bundle their own copy of `@uipath/auth` see the same value because the
+ * slot is keyed by `Symbol.for()` on `globalThis`.
+ */
+export interface AuthFileConfig {
+    clientId?: string;
+    clientSecret?: string;
+    authority?: string;
+    scopes?: string[];
+}
+/**
+ * Push the resolved `auth.*` block of the on-disk config into auth.
+ * Called by the CLI host once at startup; safe to call repeatedly.
+ */
+export declare const setAuthFileConfig: (cfg: AuthFileConfig | undefined) => void;
+/**
+ * Error thrown when an invalid base URL is provided
+ */
+export declare class InvalidBaseUrlError extends Error {
+    readonly url: string;
+    readonly reason: string;
+    constructor(url: string, reason: string);
+}
+/**
+ * Default OAuth scopes requested during authentication.
+ *
+ * Identity is expected to expand the issued token to every scope granted
+ * to the CLI client (the "assistant pattern"), so the CLI only asks for
+ * the OIDC base set. Adding product-specific scopes here re-introduces
+ * per-deployment configuration coupling on Automation Suite, where each
+ * scope must be granted to the client in the Identity database.
+ */
+export declare const DEFAULT_SCOPES: string[];
+interface EndpointsConfig {
+    clientId: string;
+    clientSecret?: string;
+    baseUrl: string;
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    /**
+     * Effective scope list: caller-provided scope wins; file-config
+     * `auth.scopes` is the secondary fallback; {@link DEFAULT_SCOPES} the
+     * tertiary. Pre-resolved here so callers can trust a single source of
+     * truth instead of re-implementing the precedence at every call site.
+     */
+    scopes: string[];
+}
+interface ResolveConfigProps {
+    customAuthority?: string;
+    customClientId?: string;
+    customClientSecret?: string;
+    customScopes?: string[];
+}
+/**
+ * Normalize and validate a UiPath base URL.
+ *
+ * Applies the same rules used by the interactive login flow so every
+ * source of baseUrl (user config, env var, JWT `iss` claim) produces
+ * a canonical `https://<host>` string:
+ *   • strips a trailing `/identity_` or `/identity_/` (users paste the
+ *     full identity endpoint and we need just the authority);
+ *   • strips trailing slashes;
+ *   • validates the result as a parseable `https://` URL;
+ *   • strips any path segments — organization is carried separately.
+ *
+ * Throws {@link InvalidBaseUrlError} on any failure.
+ */
+export declare const normalizeAndValidateBaseUrl: (rawUrl: string) => string;
+export declare const resolveConfigAsync: ({ customAuthority, customClientId, customClientSecret, customScopes, }?: ResolveConfigProps) => Promise<EndpointsConfig>;
+export {};

package/dist/constants.d.ts

@@ -0,0 +1,10 @@
+/** Home directory for UiPath CLI auth data: ~/.uipath/ */
+export declare const UIPATH_HOME_DIR = ".uipath";
+/** Auth credentials filename within the UiPath home directory. */
+export declare const AUTH_FILENAME = ".auth";
+/** Default UiPath cloud base URL. */
+export declare const DEFAULT_BASE_URL = "https://cloud.uipath.com";
+/** Auth callback server timeout (5 minutes). */
+export declare const DEFAULT_AUTH_TIMEOUT_MS: number;
+/** Localhost OIDC redirect URI. */
+export declare const DEFAULT_REDIRECT_URI = "http://localhost:8104/oidc/login";

package/dist/envAuth.d.ts

@@ -0,0 +1,75 @@
+import type { LoginStatus } from "./loginStatus";
+/**
+ * Environment variable that opts the CLI into sourcing authentication
+ * data from env vars instead of the `.uipath/.auth` file. Must be set
+ * to the literal string `"true"`.
+ */
+export declare const ENV_AUTH_ENABLE_VAR = "UIPATH_CLI_ENABLE_ENV_AUTH";
+/**
+ * Environment variable that opts the CLI into Robot-IPC-only authentication.
+ * Must be set to the literal string `"true"`. When set:
+ *   - `~/.uipath/.auth` is **not consulted** (file lookup is skipped entirely;
+ *     a stale or expired file cannot block the Robot path).
+ *   - `UIPATH_CLI_ENABLE_ENV_AUTH=true` set in parallel raises
+ *     {@link EnvAuthConfigError} ("mutually exclusive flags") rather than
+ *     being silently overridden — the two opt-ins contradict each other and
+ *     the user must resolve the conflict.
+ *   - The Robot fallback runs first and is required to succeed.
+ *   - If the Robot is not running / not signed in, the CLI returns
+ *     `loginStatus: "Not logged in"` with a hint pointing at this env var
+ *     and the Assistant — no fallback to file or env-auth.
+ * Intended as a per-process opt-in (set on the spawned `uip` child only)
+ * for consumers like Studio Desktop that authenticate through the local
+ * Robot. See GH issue #2131.
+ */
+export declare const ENFORCE_ROBOT_AUTH_VAR = "UIPATH_CLI_ENFORCE_ROBOT_AUTH";
+/**
+ * Names of the env vars consumed when {@link ENV_AUTH_ENABLE_VAR} is
+ * enabled. The server URL (`baseUrl`) is not listed here — it is
+ * derived from the JWT's `iss` claim, which is the authoritative
+ * source for the authority that minted the token.
+ *
+ * NOTE: insertion order of these keys is the public ordering of the
+ * `Vars` array surfaced by `uip login which`. Reordering changes CLI
+ * output that programmatic consumers may parse positionally.
+ */
+export declare const ENV_AUTH_VARS: {
+    readonly token: "UIPATH_CLI_AUTH_TOKEN";
+    readonly organizationName: "UIPATH_CLI_ORGANIZATION_NAME";
+    readonly organizationId: "UIPATH_CLI_ORGANIZATION_ID";
+    readonly tenantName: "UIPATH_CLI_TENANT_NAME";
+    readonly tenantId: "UIPATH_CLI_TENANT_ID";
+};
+/**
+ * Error thrown when env-var auth is enabled but the configuration is
+ * incomplete or invalid. Surfaces the specific variable at fault so
+ * the user can correct the CI setup without guessing.
+ */
+export declare class EnvAuthConfigError extends Error {
+    constructor(message: string);
+}
+/**
+ * Whether env-var auth is active. Checked at the top of
+ * {@link getLoginStatusWithDeps} so that when the gate is off the
+ * existing file-based flow is entirely unaffected.
+ */
+export declare const isEnvAuthEnabled: () => boolean;
+/**
+ * Whether Robot-only enforcement is active. See {@link ENFORCE_ROBOT_AUTH_VAR}.
+ */
+export declare const isRobotAuthEnforced: () => boolean;
+/**
+ * Build a {@link LoginStatus} from environment variables, bypassing
+ * disk I/O and token refresh entirely.
+ *
+ * The access token is treated as opaque — whoever populated the env
+ * var is responsible for its freshness. If the token carries a JWT
+ * `exp` that has already passed, the status is reported as `Expired`
+ * (mirroring the file-based flow), but no refresh is attempted: there
+ * is no refresh token in the env-var contract and the CLI has no way
+ * to update a secret it did not mint.
+ *
+ * baseUrl is derived from the token's `iss` claim so the env-var set
+ * can stay aligned with the GH #1034 spec (five vars, no URL).
+ */
+export declare const readAuthFromEnv: () => LoginStatus;

package/dist/getBaseHtml.d.ts

@@ -0,0 +1,7 @@
+interface GetBaseHtmlProps {
+    title: string;
+    message: string;
+    type: "success" | "error";
+}
+export declare const getBaseHtml: ({ title, message, type }: GetBaseHtmlProps) => string;
+export {};

package/dist/index.browser.d.ts

@@ -0,0 +1,10 @@
+export * from "./authContext";
+export * from "./clientCredentials";
+export { type AuthFileConfig, InvalidBaseUrlError, setAuthFileConfig, } from "./config";
+export * from "./loginStatus";
+export * from "./logout";
+export { fetchTenantsAndOrganizations, type Tenant, type TenantsAndOrganizations, } from "./tenantSelection";
+export * from "./tokenRefresh";
+export type { BaseCredentials } from "./types";
+export { DEFAULT_AUTH_FILENAME, DEFAULT_ENV_FILENAME, type EnvFileErrorCode, type EnvFileLocation, type EnvFileSource, type EnvFileUnusable, type EnvFileUnusableReason, loadEnvFileAsync, resolveEnvFileLocationAsync, resolveEnvFilePathAsync, saveEnvFileAsync, } from "./utils/envFile";
+export { isBrowser, isNode } from "./utils/platform";