@uipath/cli 0.9.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +99 -0
- package/dist/index.js +8426 -2894
- package/package.json +8 -8
package/README.md
CHANGED
|
@@ -85,6 +85,105 @@ uip login status
|
|
|
85
85
|
Base URL: https://cloud.uipath.com
|
|
86
86
|
```
|
|
87
87
|
|
|
88
|
+
#### `uip login refresh`
|
|
89
|
+
|
|
90
|
+
Refresh the access token proactively and emit a machine-readable session
|
|
91
|
+
payload — access token, organization/tenant identity, and expiration —
|
|
92
|
+
in a single call. Programmatic consumers (e.g. the Flow VSCode extension)
|
|
93
|
+
use this to guarantee the returned token will still be valid for the
|
|
94
|
+
next N minutes.
|
|
95
|
+
|
|
96
|
+
`uip login status`, by contrast, is a status report: it only rotates
|
|
97
|
+
tokens incidentally when the stored access token is already past its
|
|
98
|
+
expiry (via the auth layer's auto-refresh path) and never performs
|
|
99
|
+
proactive refresh — so the token it returns may be about to expire.
|
|
100
|
+
|
|
101
|
+
**Options:**
|
|
102
|
+
- `--login-validity <minutes>` – Refresh only if the current access token
|
|
103
|
+
expires within this many minutes. Default `5`. Pass `0` to skip
|
|
104
|
+
proactive refresh and rotate only when the token is already past its
|
|
105
|
+
expiry. Range: `0`–`525600` (1 year). Invalid values exit `3`
|
|
106
|
+
(`ValidationError`).
|
|
107
|
+
|
|
108
|
+
**Example:**
|
|
109
|
+
|
|
110
|
+
```bash
|
|
111
|
+
# Machine-consumption (access token emitted)
|
|
112
|
+
uip login refresh --output json
|
|
113
|
+
|
|
114
|
+
# Require at least 10 minutes of validity on the returned token
|
|
115
|
+
uip login refresh --login-validity 10 --output json
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
**Output (`--output json`):**
|
|
119
|
+
|
|
120
|
+
```json
|
|
121
|
+
{
|
|
122
|
+
"Result": "Success",
|
|
123
|
+
"Code": "LoginRefresh",
|
|
124
|
+
"Data": {
|
|
125
|
+
"Status": "Logged in",
|
|
126
|
+
"Organization": "my-org",
|
|
127
|
+
"Tenant": "DefaultTenant",
|
|
128
|
+
"Expiration Date": "2026-04-24T18:00:00.000Z",
|
|
129
|
+
"BaseUrl": "https://cloud.uipath.com",
|
|
130
|
+
"OrganizationId": "bc2ddac5-...",
|
|
131
|
+
"OrganizationName": "my-org",
|
|
132
|
+
"TenantId": "a1b2c3d4-...",
|
|
133
|
+
"TenantName": "DefaultTenant",
|
|
134
|
+
"AccessToken": "<jwt>"
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
**Refresh-token ownership:**
|
|
140
|
+
|
|
141
|
+
The CLI is the sole owner of the refresh token — it stays in
|
|
142
|
+
`.uipath/.auth` and only the auth layer rotates it. Programmatic
|
|
143
|
+
consumers should not cache the access token long-term either; instead
|
|
144
|
+
they call `uip login refresh --login-validity N --output json` whenever
|
|
145
|
+
they need a fresh token. This avoids the rotation race that would
|
|
146
|
+
otherwise let one party invalidate the other party's stored refresh
|
|
147
|
+
token.
|
|
148
|
+
|
|
149
|
+
**Security posture for `AccessToken`:**
|
|
150
|
+
|
|
151
|
+
The access token is emitted only when the active format is `json` **and**
|
|
152
|
+
at least one of the following is true:
|
|
153
|
+
|
|
154
|
+
1. `--output` was explicitly passed on the command line (the user asked
|
|
155
|
+
for machine output), **or**
|
|
156
|
+
2. Stdout is not attached to an interactive terminal (pipe, redirect,
|
|
157
|
+
subprocess).
|
|
158
|
+
|
|
159
|
+
Because `--output json` is the hard default regardless of TTY, gating
|
|
160
|
+
on format alone would mean a bare `uip login refresh` in a shell dumps
|
|
161
|
+
the token on-screen. Requiring either an explicit `--output` flag or a
|
|
162
|
+
non-TTY stdout keeps the token reserved for deliberate machine-consumption
|
|
163
|
+
paths: Flow VSCode extension spawning `uip login refresh --output json`,
|
|
164
|
+
CI pipelines writing to a file, or `uip login refresh | cat`. Table /
|
|
165
|
+
yaml / plain renderings never include the token in any circumstance.
|
|
166
|
+
This preserves the sensitive-field filter posture from #752.
|
|
167
|
+
|
|
168
|
+
**Success discriminator (`Data.Code`):**
|
|
169
|
+
|
|
170
|
+
| `Code` | Meaning |
|
|
171
|
+
|---|---|
|
|
172
|
+
| `LoginRefresh` | Clean success. The returned `AccessToken` is valid AND the rotated pair has been persisted — the next invocation will use the new tokens cleanly. |
|
|
173
|
+
| `LoginRefreshPartial` | The refresh rotated at the identity server but the new pair could not be persisted to `.uipath/.auth` (permission denied, disk full, etc.). The returned `AccessToken` is valid for the current call, but the next invocation will fail until the disk state is repaired. `Data.Hint` carries the underlying filesystem error. |
|
|
174
|
+
|
|
175
|
+
Programmatic consumers should switch on `Code` rather than pattern-matching
|
|
176
|
+
`Hint`. Exit code is `0` in both success flavours — the partial case still
|
|
177
|
+
yielded a usable token for this call.
|
|
178
|
+
|
|
179
|
+
**Exit codes:**
|
|
180
|
+
|
|
181
|
+
| Code | Result | When |
|
|
182
|
+
|---|---|---|
|
|
183
|
+
| `0` | `Success` | A valid access token is in the response (`Code` is either `LoginRefresh` or `LoginRefreshPartial`) |
|
|
184
|
+
| `2` | `AuthenticationError` | The CLI cannot produce a valid token — refresh failed, not logged in, or credentials file unreadable |
|
|
185
|
+
| `3` | `ValidationError` | Bad `--login-validity` value |
|
|
186
|
+
|
|
88
187
|
#### Environment-variable authentication (CI/CD)
|
|
89
188
|
|
|
90
189
|
For non-interactive environments such as CI/CD pipelines, containers, or
|