@uniformdev/mesh-sdk 20.50.2-alpha.2 → 20.50.2-alpha.77

package/dist/index.esm.js

@@ -4,10 +4,112 @@ var __typeError = (msg) => {
 var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
 var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
 var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
+
+// src/clients/DelegationTokenClient.ts
+var DelegationTokenError = class extends Error {
+  constructor(status, kind, publicMessage) {
+    super(publicMessage);
+    this.name = "DelegationTokenError";
+    this.status = status;
+    this.kind = kind;
+  }
+};
+var PUBLIC_MESSAGES = {
+  bad_request: "Token exchange request was rejected as invalid",
+  unauthenticated: "Token exchange authentication failed",
+  forbidden: "Token exchange forbidden by server",
+  not_found: "Token exchange target was not found",
+  rate_limited: "Token exchange rate limit exceeded",
+  server_error: "Token exchange server error",
+  unknown: "Token exchange failed"
+};
+function classifyDelegationTokenStatus(status) {
+  if (status === 400) {
+    return "bad_request";
+  }
+  if (status === 401) {
+    return "unauthenticated";
+  }
+  if (status === 403) {
+    return "forbidden";
+  }
+  if (status === 404) {
+    return "not_found";
+  }
+  if (status === 429) {
+    return "rate_limited";
+  }
+  if (status >= 500) {
+    return "server_error";
+  }
+  return "unknown";
+}
+function buildDelegationTokenError(status) {
+  const kind = classifyDelegationTokenStatus(status);
+  return new DelegationTokenError(status, kind, PUBLIC_MESSAGES[kind]);
+}
+var _options, _DelegationTokenClient_instances, post_fn;
+var DelegationTokenClient = class {
+  constructor(options) {
+    __privateAdd(this, _DelegationTokenClient_instances);
+    __privateAdd(this, _options);
+    __privateSet(this, _options, options);
+  }
+  /**
+   * Exchanges a short-lived session token for a delegation token and refresh token.
+   * The session token is obtained by the integration's frontend via `sdk.getSessionToken()`.
+   *
+   * @deprecated This beta identity delegation API may change with breaking changes.
+   */
+  async exchangeSessionToken(sessionToken) {
+    return __privateMethod(this, _DelegationTokenClient_instances, post_fn).call(this, {
+      grant_type: "delegation_token",
+      sessionToken,
+      integrationId: __privateGet(this, _options).integrationId,
+      integrationSecret: __privateGet(this, _options).integrationSecret
+    });
+  }
+  /**
+   * Exchanges a refresh token for a new delegation token and a new refresh token.
+   *
+   * Replay posture: refresh tokens are bearer credentials that are valid until
+   * their server-side expiry. They are NOT single-use — a captured refresh token can be
+   * replayed by an attacker that also has the integration secret until it expires.
+   * Single-use enforcement (refresh-token storage, family/jti tracking, replay revocation)
+   * is tracked in `UNI-9279`.
+   *
+   * @deprecated This beta identity delegation API may change with breaking changes.
+   */
+  async refreshDelegationToken(refreshToken) {
+    return __privateMethod(this, _DelegationTokenClient_instances, post_fn).call(this, {
+      grant_type: "refresh_token",
+      refreshToken,
+      integrationId: __privateGet(this, _options).integrationId,
+      integrationSecret: __privateGet(this, _options).integrationSecret
+    });
+  }
+};
+_options = new WeakMap();
+_DelegationTokenClient_instances = new WeakSet();
+post_fn = async function(body) {
+  const url = `${__privateGet(this, _options).apiHost}/api/v1/token`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    await response.text().catch(() => "");
+    throw buildDelegationTokenError(response.status);
+  }
+  return await response.json();
+};
 
 // src/clients/IntegrationDefinitionClient.ts
 import { ApiClient } from "@uniformdev/context/api";
-var _url;
+var _url, _credentialsUrl;
 var _IntegrationDefinitionClient = class _IntegrationDefinitionClient extends ApiClient {
   constructor(options) {
     super(options);
@@ -18,7 +120,7 @@ var _IntegrationDefinitionClient = class _IntegrationDefinitionClient extends Ap
     const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _url), { ...options, teamId });
     return await this.apiClient(fetchUri);
   }
-  /** Creates or updates a mesh app definition on a team */
+  /** Creates or updates a mesh app definition on a team. Identity-delegation credentials must be minted separately via {@link rotateCredential}. */
   async upsert(body) {
     const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _url));
     return await this.apiClient(fetchUri, {
@@ -35,9 +137,37 @@ var _IntegrationDefinitionClient = class _IntegrationDefinitionClient extends Ap
       expectNoContent: true
     });
   }
+  /**
+   * Mints or rotates an identity-delegation credential for an integration definition. The plaintext
+   * `appSecret` is returned exactly once and is not retrievable afterwards — Uniform stores only
+   * the hash. A successful response invalidates any previously-issued secret of the same kind.
+   * Caller must be a team admin.
+   */
+  async rotateCredential(body) {
+    const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _credentialsUrl));
+    return await this.apiClient(fetchUri, {
+      method: "POST",
+      body: JSON.stringify({ ...body, teamId: this.options.teamId })
+    });
+  }
+  /**
+   * Revokes an identity-delegation credential. Future delegation grants and refreshes will fail
+   * until a new credential is minted; in-flight delegation tokens remain valid until natural
+   * expiry (up to ~15 minutes). Caller must be a team admin.
+   */
+  async revokeCredential(body) {
+    const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _credentialsUrl));
+    await this.apiClient(fetchUri, {
+      method: "DELETE",
+      body: JSON.stringify({ ...body, teamId: this.options.teamId }),
+      expectNoContent: true
+    });
+  }
 };
 _url = new WeakMap();
+_credentialsUrl = new WeakMap();
 __privateAdd(_IntegrationDefinitionClient, _url, "/api/v1/integration-definitions");
+__privateAdd(_IntegrationDefinitionClient, _credentialsUrl, "/api/v1/integration-credentials");
 var IntegrationDefinitionClient = _IntegrationDefinitionClient;
 
 // src/clients/IntegrationInstallationClient.ts
@@ -131,7 +261,7 @@ var getLogger = (prefix, debug) => {
 };
 
 // src/temp/version.ts
-var UNIFORM_MESH_SDK_VERSION = "20.50.1";
+var UNIFORM_MESH_SDK_VERSION = "20.61.1";
 
 // src/framepost/constants.ts
 var DEFAULT_REQUEST_TIMEOUT = 5e3;
@@ -488,56 +618,63 @@ async function connectToParent({
   });
   client.onRequest("metadata-value", onMetadataUpdated);
   client.onRequest("external-value-update", onValueExternallyUpdated);
-  return {
-    initData,
-    parent: {
-      resize: async ({ height }) => {
-        await client.request("resize", { height });
-      },
-      setValue: async (value) => {
-        await client.request("setValue", value);
-      },
-      openDialog: async (message) => {
-        const res = await client.request(
-          "openDialog",
-          message
-        );
-        const dialogId = res == null ? void 0 : res.dialogId;
-        if (!dialogId) {
-          return;
-        }
-        return new Promise((resolve, reject) => {
-          dialogResponseHandlers[dialogId] = { resolve, reject };
-        });
-      },
-      closeDialog: async (message) => {
-        await client.request("closeDialog", message);
-      },
-      getDataResource: async (message) => {
-        return await client.request("getDataResource", message, {
-          timeout: 3e4
-        });
-      },
-      navigate: async (message) => {
-        await client.request("navigate", message);
-      },
-      reloadLocation: async () => {
-        await client.request("reload");
-      },
-      editConnectedData: async (message) => {
-        return await client.request(
-          "editConnectedData",
-          message,
-          {
-            timeout: (
-              // 24 hours in ms
-              864e5
-            )
-          }
-        );
+  const parent = {
+    resize: async ({ height }) => {
+      await client.request("resize", { height });
+    },
+    setValue: async (value) => {
+      await client.request("setValue", value);
+    },
+    openDialog: async (message) => {
+      const res = await client.request(
+        "openDialog",
+        message
+      );
+      const dialogId = res == null ? void 0 : res.dialogId;
+      if (!dialogId) {
+        return;
       }
+      return new Promise((resolve, reject) => {
+        dialogResponseHandlers[dialogId] = { resolve, reject };
+      });
+    },
+    closeDialog: async (message) => {
+      await client.request("closeDialog", message);
+    },
+    getDataResource: async (message) => {
+      return await client.request("getDataResource", message, {
+        timeout: 3e4
+      });
+    },
+    navigate: async (message) => {
+      await client.request("navigate", message);
+    },
+    reloadLocation: async () => {
+      await client.request("reload");
+    },
+    editConnectedData: async (message) => {
+      return await client.request(
+        "editConnectedData",
+        message,
+        {
+          timeout: (
+            // 24 hours in ms
+            864e5
+          )
+        }
+      );
+    },
+    getSessionToken: async () => {
+      return await client.request("getSessionToken", void 0, {
+        // Delegation may wait on consent UI + token API; default framepost timeout (5s) is too short.
+        timeout: 12e4
+      });
     }
   };
+  return {
+    initData,
+    parent
+  };
 }
 
 // src/sdkWindow.ts
@@ -816,7 +953,8 @@ async function initializeUniformMeshSDK({
       },
       closeCurrentLocationDialog: async () => {
         await parent.closeDialog({ dialogId: void 0, dialogType: "currentLocation" });
-      }
+      },
+      getSessionToken: () => parent.getSessionToken()
     };
     window.UniformMeshSDK = sdk;
     initializing = false;
@@ -838,6 +976,8 @@ var hasRole = (role, user) => {
   return user.roles.some((userRole) => userRole.name === role || userRole.id === role);
 };
 export {
+  DelegationTokenClient,
+  DelegationTokenError,
   IntegrationDefinitionClient,
   IntegrationInstallationClient,
   functionCallSystemParameters,

package/dist/index.js

@@ -32,10 +32,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
 var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
 var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
 
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  DelegationTokenClient: () => DelegationTokenClient,
+  DelegationTokenError: () => DelegationTokenError,
   IntegrationDefinitionClient: () => IntegrationDefinitionClient,
   IntegrationInstallationClient: () => IntegrationInstallationClient,
   functionCallSystemParameters: () => functionCallSystemParameters,
@@ -46,9 +50,109 @@ __export(src_exports, {
 });
 module.exports = __toCommonJS(src_exports);
 
+// src/clients/DelegationTokenClient.ts
+var DelegationTokenError = class extends Error {
+  constructor(status, kind, publicMessage) {
+    super(publicMessage);
+    this.name = "DelegationTokenError";
+    this.status = status;
+    this.kind = kind;
+  }
+};
+var PUBLIC_MESSAGES = {
+  bad_request: "Token exchange request was rejected as invalid",
+  unauthenticated: "Token exchange authentication failed",
+  forbidden: "Token exchange forbidden by server",
+  not_found: "Token exchange target was not found",
+  rate_limited: "Token exchange rate limit exceeded",
+  server_error: "Token exchange server error",
+  unknown: "Token exchange failed"
+};
+function classifyDelegationTokenStatus(status) {
+  if (status === 400) {
+    return "bad_request";
+  }
+  if (status === 401) {
+    return "unauthenticated";
+  }
+  if (status === 403) {
+    return "forbidden";
+  }
+  if (status === 404) {
+    return "not_found";
+  }
+  if (status === 429) {
+    return "rate_limited";
+  }
+  if (status >= 500) {
+    return "server_error";
+  }
+  return "unknown";
+}
+function buildDelegationTokenError(status) {
+  const kind = classifyDelegationTokenStatus(status);
+  return new DelegationTokenError(status, kind, PUBLIC_MESSAGES[kind]);
+}
+var _options, _DelegationTokenClient_instances, post_fn;
+var DelegationTokenClient = class {
+  constructor(options) {
+    __privateAdd(this, _DelegationTokenClient_instances);
+    __privateAdd(this, _options);
+    __privateSet(this, _options, options);
+  }
+  /**
+   * Exchanges a short-lived session token for a delegation token and refresh token.
+   * The session token is obtained by the integration's frontend via `sdk.getSessionToken()`.
+   *
+   * @deprecated This beta identity delegation API may change with breaking changes.
+   */
+  async exchangeSessionToken(sessionToken) {
+    return __privateMethod(this, _DelegationTokenClient_instances, post_fn).call(this, {
+      grant_type: "delegation_token",
+      sessionToken,
+      integrationId: __privateGet(this, _options).integrationId,
+      integrationSecret: __privateGet(this, _options).integrationSecret
+    });
+  }
+  /**
+   * Exchanges a refresh token for a new delegation token and a new refresh token.
+   *
+   * Replay posture: refresh tokens are bearer credentials that are valid until
+   * their server-side expiry. They are NOT single-use — a captured refresh token can be
+   * replayed by an attacker that also has the integration secret until it expires.
+   * Single-use enforcement (refresh-token storage, family/jti tracking, replay revocation)
+   * is tracked in `UNI-9279`.
+   *
+   * @deprecated This beta identity delegation API may change with breaking changes.
+   */
+  async refreshDelegationToken(refreshToken) {
+    return __privateMethod(this, _DelegationTokenClient_instances, post_fn).call(this, {
+      grant_type: "refresh_token",
+      refreshToken,
+      integrationId: __privateGet(this, _options).integrationId,
+      integrationSecret: __privateGet(this, _options).integrationSecret
+    });
+  }
+};
+_options = new WeakMap();
+_DelegationTokenClient_instances = new WeakSet();
+post_fn = async function(body) {
+  const url = `${__privateGet(this, _options).apiHost}/api/v1/token`;
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    await response.text().catch(() => "");
+    throw buildDelegationTokenError(response.status);
+  }
+  return await response.json();
+};
+
 // src/clients/IntegrationDefinitionClient.ts
 var import_api = require("@uniformdev/context/api");
-var _url;
+var _url, _credentialsUrl;
 var _IntegrationDefinitionClient = class _IntegrationDefinitionClient extends import_api.ApiClient {
   constructor(options) {
     super(options);
@@ -59,7 +163,7 @@ var _IntegrationDefinitionClient = class _IntegrationDefinitionClient extends im
     const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _url), { ...options, teamId });
     return await this.apiClient(fetchUri);
   }
-  /** Creates or updates a mesh app definition on a team */
+  /** Creates or updates a mesh app definition on a team. Identity-delegation credentials must be minted separately via {@link rotateCredential}. */
   async upsert(body) {
     const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _url));
     return await this.apiClient(fetchUri, {
@@ -76,9 +180,37 @@ var _IntegrationDefinitionClient = class _IntegrationDefinitionClient extends im
       expectNoContent: true
     });
   }
+  /**
+   * Mints or rotates an identity-delegation credential for an integration definition. The plaintext
+   * `appSecret` is returned exactly once and is not retrievable afterwards — Uniform stores only
+   * the hash. A successful response invalidates any previously-issued secret of the same kind.
+   * Caller must be a team admin.
+   */
+  async rotateCredential(body) {
+    const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _credentialsUrl));
+    return await this.apiClient(fetchUri, {
+      method: "POST",
+      body: JSON.stringify({ ...body, teamId: this.options.teamId })
+    });
+  }
+  /**
+   * Revokes an identity-delegation credential. Future delegation grants and refreshes will fail
+   * until a new credential is minted; in-flight delegation tokens remain valid until natural
+   * expiry (up to ~15 minutes). Caller must be a team admin.
+   */
+  async revokeCredential(body) {
+    const fetchUri = this.createUrl(__privateGet(_IntegrationDefinitionClient, _credentialsUrl));
+    await this.apiClient(fetchUri, {
+      method: "DELETE",
+      body: JSON.stringify({ ...body, teamId: this.options.teamId }),
+      expectNoContent: true
+    });
+  }
 };
 _url = new WeakMap();
+_credentialsUrl = new WeakMap();
 __privateAdd(_IntegrationDefinitionClient, _url, "/api/v1/integration-definitions");
+__privateAdd(_IntegrationDefinitionClient, _credentialsUrl, "/api/v1/integration-credentials");
 var IntegrationDefinitionClient = _IntegrationDefinitionClient;
 
 // src/clients/IntegrationInstallationClient.ts
@@ -172,7 +304,7 @@ var getLogger = (prefix, debug) => {
 };
 
 // src/temp/version.ts
-var UNIFORM_MESH_SDK_VERSION = "20.50.1";
+var UNIFORM_MESH_SDK_VERSION = "20.61.1";
 
 // src/framepost/constants.ts
 var DEFAULT_REQUEST_TIMEOUT = 5e3;
@@ -529,56 +661,63 @@ async function connectToParent({
   });
   client.onRequest("metadata-value", onMetadataUpdated);
   client.onRequest("external-value-update", onValueExternallyUpdated);
-  return {
-    initData,
-    parent: {
-      resize: async ({ height }) => {
-        await client.request("resize", { height });
-      },
-      setValue: async (value) => {
-        await client.request("setValue", value);
-      },
-      openDialog: async (message) => {
-        const res = await client.request(
-          "openDialog",
-          message
-        );
-        const dialogId = res == null ? void 0 : res.dialogId;
-        if (!dialogId) {
-          return;
-        }
-        return new Promise((resolve, reject) => {
-          dialogResponseHandlers[dialogId] = { resolve, reject };
-        });
-      },
-      closeDialog: async (message) => {
-        await client.request("closeDialog", message);
-      },
-      getDataResource: async (message) => {
-        return await client.request("getDataResource", message, {
-          timeout: 3e4
-        });
-      },
-      navigate: async (message) => {
-        await client.request("navigate", message);
-      },
-      reloadLocation: async () => {
-        await client.request("reload");
-      },
-      editConnectedData: async (message) => {
-        return await client.request(
-          "editConnectedData",
-          message,
-          {
-            timeout: (
-              // 24 hours in ms
-              864e5
-            )
-          }
-        );
+  const parent = {
+    resize: async ({ height }) => {
+      await client.request("resize", { height });
+    },
+    setValue: async (value) => {
+      await client.request("setValue", value);
+    },
+    openDialog: async (message) => {
+      const res = await client.request(
+        "openDialog",
+        message
+      );
+      const dialogId = res == null ? void 0 : res.dialogId;
+      if (!dialogId) {
+        return;
       }
+      return new Promise((resolve, reject) => {
+        dialogResponseHandlers[dialogId] = { resolve, reject };
+      });
+    },
+    closeDialog: async (message) => {
+      await client.request("closeDialog", message);
+    },
+    getDataResource: async (message) => {
+      return await client.request("getDataResource", message, {
+        timeout: 3e4
+      });
+    },
+    navigate: async (message) => {
+      await client.request("navigate", message);
+    },
+    reloadLocation: async () => {
+      await client.request("reload");
+    },
+    editConnectedData: async (message) => {
+      return await client.request(
+        "editConnectedData",
+        message,
+        {
+          timeout: (
+            // 24 hours in ms
+            864e5
+          )
+        }
+      );
+    },
+    getSessionToken: async () => {
+      return await client.request("getSessionToken", void 0, {
+        // Delegation may wait on consent UI + token API; default framepost timeout (5s) is too short.
+        timeout: 12e4
+      });
     }
   };
+  return {
+    initData,
+    parent
+  };
 }
 
 // src/sdkWindow.ts
@@ -857,7 +996,8 @@ async function initializeUniformMeshSDK({
       },
       closeCurrentLocationDialog: async () => {
         await parent.closeDialog({ dialogId: void 0, dialogType: "currentLocation" });
-      }
+      },
+      getSessionToken: () => parent.getSessionToken()
     };
     window.UniformMeshSDK = sdk;
     initializing = false;
@@ -880,6 +1020,8 @@ var hasRole = (role, user) => {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  DelegationTokenClient,
+  DelegationTokenError,
   IntegrationDefinitionClient,
   IntegrationInstallationClient,
   functionCallSystemParameters,