@vercel/sandbox 1.2.0 → 1.2.1

package/src/utils/get-credentials.ts

@@ -1,183 +0,0 @@
-import { getVercelOidcToken } from "@vercel/oidc";
-import { decodeBase64Url } from "./decode-base64-url";
-import { z } from "zod";
-import {
-  cachedGenerateCredentials,
-  shouldPromptForCredentials,
-} from "./dev-credentials";
-
-export interface Credentials {
-  /**
-   * Authentication token for the Vercel API. It could be an OIDC token
-   * or a personal access token.
-   */
-  token: string;
-  /**
-   * The ID of the project to associate Sandbox operations.
-   */
-  projectId: string;
-  /**
-   * The ID of the team to associate Sandbox operations.
-   */
-  teamId: string;
-}
-
-/**
- * Error thrown when OIDC context is not available in local development,
- * therefore we should guide how to ensure it is set up by linking a project
- */
-export class LocalOidcContextError extends Error {
-  name = "LocalOidcContextError";
-  constructor(cause: unknown) {
-    const message = [
-      "Could not get credentials from OIDC context.",
-      "Please link your Vercel project using `npx vercel link`.",
-      "Then, pull an initial OIDC token with `npx vercel env pull`",
-      "and retry.",
-      "╰▶ Make sure you are loading `.env.local` correctly, or passing $VERCEL_OIDC_TOKEN directly."
-    ].join("\n");
-    super(message, { cause });
-  }
-}
-
-/**
- * Error thrown when OIDC context is not available in Vercel environment,
- * therefore we should guide how to set it up.
- */
-export class VercelOidcContextError extends Error {
-  name = "VercelOidcContextError";
-  constructor(cause: unknown) {
-    const message = [
-      "Could not get credentials from OIDC context.",
-      "Please make sure OIDC is set up for your project",
-      "╰▶ Docs: https://vercel.com/docs/oidc",
-    ].join("\n");
-    super(message, { cause });
-  }
-}
-
-async function getVercelToken(opts: {
-  teamId?: string;
-  projectId?: string;
-}): Promise<Credentials> {
-  try {
-    return getCredentialsFromOIDCToken(await getVercelOidcToken());
-  } catch (error) {
-    if (!shouldPromptForCredentials()) {
-      if (process.env.VERCEL_URL) {
-        throw new VercelOidcContextError(error);
-      } else {
-        throw new LocalOidcContextError(error);
-      }
-    }
-    return await cachedGenerateCredentials(opts);
-  }
-}
-
-/**
- * Allow to get credentials to access the Vercel API. Credentials can be
- * provided in two different ways:
- *
- * 1. By passing an object with the `teamId`, `token`, and `projectId` properties.
- * 2. By using an environment variable VERCEL_OIDC_TOKEN.
- *
- * If both methods are used, the object properties take precedence over the
- * environment variable. If neither method is used, an error is thrown.
- */
-export async function getCredentials(params?: unknown): Promise<Credentials> {
-  const credentials = getCredentialsFromParams(params ?? {});
-  if (credentials) {
-    return credentials;
-  }
-
-  const oidcToken = await getVercelToken({
-    teamId:
-      params &&
-      typeof params === "object" &&
-      "teamId" in params &&
-      typeof params.teamId === "string"
-        ? params.teamId
-        : undefined,
-    projectId:
-      params &&
-      typeof params === "object" &&
-      "projectId" in params &&
-      typeof params.projectId === "string"
-        ? params.projectId
-        : undefined,
-  });
-
-  return oidcToken;
-}
-
-/**
- * Attempt to extract credentials from the provided parameters. Either all
- * required fields (`token`, `teamId`, and `projectId`) must be present
- * or none of them, otherwise an error is thrown.
- */
-function getCredentialsFromParams(params: unknown): Credentials | null {
-  // Type guard: params must be an object
-  if (!params || typeof params !== "object") {
-    return null;
-  }
-
-  const missing = [
-    "token" in params && typeof params.token === "string" ? null : "token",
-    "teamId" in params && typeof params.teamId === "string" ? null : "teamId",
-    "projectId" in params && typeof params.projectId === "string"
-      ? null
-      : "projectId",
-  ].filter((value) => value !== null);
-
-  if (missing.length === 0) {
-    return {
-      token: (params as any).token,
-      projectId: (params as any).projectId,
-      teamId: (params as any).teamId,
-    };
-  }
-
-  if (missing.length < 3) {
-    throw new Error(
-      `Missing credentials parameters to access the Vercel API: ${missing
-        .filter((value) => value !== null)
-        .join(", ")}`,
-    );
-  }
-
-  return null;
-}
-
-/**
- * Schema to validate the payload of the Vercel OIDC token where we expect
- * to find the `teamId` and `projectId`.
- */
-export const schema = z.object({
-  exp: z.number().optional().describe("Expiry timestamp (seconds since epoch)"),
-  iat: z.number().optional().describe("Issued at timestamp"),
-  owner_id: z.string(),
-  project_id: z.string(),
-});
-
-/**
- * Extracts credentials from a Vercel OIDC token. The token is expected to be
- * a JWT with a payload that contains `project_id` and `owner_id`.
- *
- * @param token - The Vercel OIDC token.
- * @returns An object containing the token, projectId, and teamId.
- * @throws If the token is invalid or does not contain the required fields.
- */
-function getCredentialsFromOIDCToken(token: string): Credentials {
-  try {
-    const payload = schema.parse(decodeBase64Url(token.split(".")[1]));
-    return {
-      token,
-      projectId: payload.project_id,
-      teamId: payload.owner_id,
-    };
-  } catch (error) {
-    throw new Error(
-      `Invalid Vercel OIDC token: ${error instanceof Error ? error.message : String(error)}`,
-    );
-  }
-}

package/src/utils/jwt-expiry.test.ts

@@ -1,125 +0,0 @@
-import { assert, beforeEach, describe, expect, test, vi } from "vitest";
-import { JwtExpiry } from "./jwt-expiry";
-import type { getVercelOidcToken } from "@vercel/oidc";
-
-const { getVercelOidcTokenMock } = vi.hoisted(() => {
-  return {
-    getVercelOidcTokenMock: vi.fn<typeof getVercelOidcToken>(),
-  };
-});
-vi.mock("@vercel/oidc", () => ({
-  getVercelOidcToken: getVercelOidcTokenMock,
-}));
-beforeEach(() => {
-  getVercelOidcTokenMock.mockReset();
-});
-
-describe("JwtExpiry", () => {
-  test("refreshes a token", async () => {
-    const token = createMockJWT({
-      owner_id: "team1",
-      project_id: "proj1",
-    });
-    getVercelOidcTokenMock.mockImplementationOnce(async () => "hello world");
-    const expiry = await JwtExpiry.fromToken(token)?.refresh();
-    expect(expiry).toBeInstanceOf(JwtExpiry);
-    expect(expiry?.token).toEqual("hello world");
-  });
-
-  test("isValid returns true for tokens without expiry", () => {
-    // Mock token without exp field (like OIDC tokens without exp)
-    const tokenWithoutExp = createMockJWT({
-      owner_id: "team1",
-      project_id: "proj1",
-    });
-    const expiry = JwtExpiry.fromToken(tokenWithoutExp);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.isValid()).toBe(false); // No exp field means malformed JWT
-  });
-
-  test("isValid returns true for unexpired tokens", () => {
-    const futureTime = Math.floor(Date.now() / 1000) + 3600; // 1 hour from now
-    const tokenValid = createMockJWT({
-      owner_id: "team1",
-      project_id: "proj1",
-      exp: futureTime,
-    });
-    const expiry = JwtExpiry.fromToken(tokenValid);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.isValid()).toBe(true);
-  });
-
-  test("isValid returns false for expired tokens", () => {
-    const pastTime = Math.floor(Date.now() / 1000) - 3600; // 1 hour ago
-    const tokenExpired = createMockJWT({
-      owner_id: "team1",
-      project_id: "proj1",
-      exp: pastTime,
-    });
-    const expiry = JwtExpiry.fromToken(tokenExpired);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.isValid()).toBe(false);
-  });
-
-  test("isValid returns false for tokens expiring within buffer time", () => {
-    const soonTime = Math.floor(Date.now() / 1000) + 120; // 2 minutes from now
-    const tokenExpiringSoon = createMockJWT({
-      owner_id: "team1",
-      project_id: "proj1",
-      exp: soonTime,
-    });
-    const expiry = JwtExpiry.fromToken(tokenExpiringSoon);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.isValid(5)).toBe(false); // 5 minute buffer
-  });
-
-  test("isValid returns false for malformed JWT tokens", () => {
-    const expiry = JwtExpiry.fromToken("header.invalid-payload.signature");
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.isValid()).toBe(false);
-  });
-
-  test("getExpiryDate returns correct expiry date", () => {
-    const expTime = Math.floor(Date.now() / 1000) + 3600; // 1 hour from now
-    const token = createMockJWT({
-      owner_id: "team1",
-      project_id: "proj1",
-      exp: expTime,
-    });
-    const expiry = JwtExpiry.fromToken(token);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.getExpiryDate()).toEqual(new Date(expTime * 1000));
-  });
-
-  test("getExpiryDate returns null for tokens without expiry", () => {
-    const token = createMockJWT({ owner_id: "team1", project_id: "proj1" });
-    const expiry = JwtExpiry.fromToken(token);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.getExpiryDate()).toBeNull();
-  });
-
-  test("getExpiryDate returns null for malformed tokens", () => {
-    const token = "hello.world.hey";
-    const expiry = JwtExpiry.fromToken(token);
-    assert(expiry, "Expiry should not be null for valid JWT");
-    expect(expiry.getExpiryDate()).toBeNull();
-  });
-
-  test("returns null for non-JWT style tokens", () => {
-    expect(JwtExpiry.fromToken("personal-access-token")).toBeNull();
-  });
-});
-
-// Helper function to create mock JWT tokens for testing
-function createMockJWT(payload: any): string {
-  const header = { typ: "JWT", alg: "HS256" };
-  const encodedHeader = Buffer.from(JSON.stringify(header)).toString(
-    "base64url",
-  );
-  const encodedPayload = Buffer.from(JSON.stringify(payload)).toString(
-    "base64url",
-  );
-  const signature = "mock-signature";
-
-  return `${encodedHeader}.${encodedPayload}.${signature}`;
-}

package/src/utils/jwt-expiry.ts

@@ -1,105 +0,0 @@
-import { z } from "zod";
-import { decodeBase64Url } from "./decode-base64-url";
-import { schema } from "./get-credentials";
-import { getVercelOidcToken } from "@vercel/oidc";
-import ms from "ms";
-
-/** Time buffer before token expiry to consider it invalid (in milliseconds) */
-const BUFFER_MS = ms("5m");
-
-export class OidcRefreshError extends Error {
-  name = "OidcRefreshError";
-}
-
-/**
- * Expiry implementation for JWT tokens (OIDC tokens).
- * Parses the JWT once and provides fast expiry validation.
- */
-export class JwtExpiry {
-  private expiryTime: number | null; // Unix timestamp in seconds
-  readonly payload?: Readonly<z.infer<typeof schema>>;
-
-  static fromToken(token: string): JwtExpiry | null {
-    if (!isJwtFormat(token)) {
-      return null;
-    } else {
-      return new JwtExpiry(token);
-    }
-  }
-
-  /**
-   * Creates a new JWT expiry checker.
-   *
-   * @param token - The JWT token to parse
-   */
-  constructor(readonly token: string) {
-    try {
-      const tokenContents = token.split(".")[1];
-      this.payload = schema.parse(decodeBase64Url(tokenContents));
-      this.expiryTime = this.payload.exp || null;
-    } catch {
-      // Malformed token - treat as expired to trigger refresh
-      this.expiryTime = 0;
-    }
-  }
-
-  /**
-   * Checks if the JWT token is valid (not expired).
-   * @returns true if token is valid, false if expired or expiring soon
-   */
-  isValid(): boolean {
-    if (this.expiryTime === null) {
-      return false; // No expiry means malformed JWT
-    }
-
-    const now = Math.floor(Date.now() / 1000);
-    const buffer = BUFFER_MS / 1000;
-    return now + buffer < this.expiryTime;
-  }
-
-  /**
-   * Gets the expiry date of the JWT token.
-   *
-   * @returns Date object representing when the token expires, or null if no expiry
-   */
-  getExpiryDate(): Date | null {
-    return this.expiryTime ? new Date(this.expiryTime * 1000) : null;
-  }
-
-  /**
-   * Refreshes the JWT token by fetching a new OIDC token.
-   *
-   * @returns Promise resolving to a new JwtExpiry instance with fresh token
-   */
-  async refresh(): Promise<JwtExpiry> {
-    try {
-      const freshToken = await getVercelOidcToken();
-      return new JwtExpiry(freshToken);
-    } catch (cause) {
-      throw new OidcRefreshError("Failed to refresh OIDC token", {
-        cause,
-      });
-    }
-  }
-
-  /**
-   * Refreshes the JWT token if it's expired or expiring soon.
-   */
-  async tryRefresh(): Promise<JwtExpiry | null> {
-    if (this.isValid()) {
-      return null; // Still valid, no need to refresh
-    }
-
-    return this.refresh();
-  }
-}
-
-/**
- * Checks if a token follows JWT format (has 3 parts separated by dots).
- *
- * @param token - The token to check
- * @returns true if token appears to be a JWT, false otherwise
- */
-function isJwtFormat(token: string): boolean {
-  return token.split(".").length === 3;
-}

package/src/utils/log.ts

@@ -1,20 +0,0 @@
-import pico from "picocolors";
-const colors = {
-  warn: pico.yellow,
-  error: pico.red,
-  success: pico.green,
-  info: pico.blue,
-};
-const logPrefix = pico.dim("[vercel/sandbox]");
-export function write(
-  level: "warn" | "error" | "info" | "success",
-  text: string | string[],
-) {
-  text = Array.isArray(text) ? text.join("\n") : text;
-  const prefixed = text.replace(/^/gm, `${logPrefix} `);
-  console.error(colors[level](prefixed));
-}
-
-export function code(text: string) {
-  return pico.italic(pico.dim("`") + text + pico.dim("`"));
-}

package/src/utils/normalizePath.test.ts

@@ -1,114 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { normalizePath } from "./normalizePath";
-
-describe("normalizePath", () => {
-  it("handles base cases", () => {
-    expect(
-      normalizePath({
-        filePath: "foo.txt",
-        cwd: "/vercel/sandbox",
-        extractDir: "/",
-      }),
-    ).toBe("vercel/sandbox/foo.txt");
-    expect(
-      normalizePath({
-        filePath: "foo/bar/baz.txt",
-        cwd: "/vercel/sandbox",
-        extractDir: "/",
-      }),
-    ).toBe("vercel/sandbox/foo/bar/baz.txt");
-    expect(
-      normalizePath({ filePath: "bar.txt", cwd: "/", extractDir: "/" }),
-    ).toBe("bar.txt");
-    expect(
-      normalizePath({
-        filePath: "/some/other/dir/foo.txt",
-        cwd: "/bar",
-        extractDir: "/",
-      }),
-    ).toBe("some/other/dir/foo.txt");
-  });
-
-  it("handles base cases (extract dir)", () => {
-    expect(
-      normalizePath({
-        filePath: "foo.txt",
-        cwd: "/vercel/sandbox",
-        extractDir: "/vercel",
-      }),
-    ).toBe("sandbox/foo.txt");
-    expect(
-      normalizePath({
-        filePath: "foo/bar/baz.txt",
-        cwd: "/vercel/sandbox",
-        extractDir: "/vercel",
-      }),
-    ).toBe("sandbox/foo/bar/baz.txt");
-
-    // TODO: Should this be allowed?
-    expect(
-      normalizePath({ filePath: "bar.txt", cwd: "/", extractDir: "/vercel" }),
-    ).toBe("../bar.txt");
-  });
-
-  it("handles normalization", () => {
-    expect(
-      normalizePath({
-        filePath: "/resolves/../this/stuff/foo.txt",
-        cwd: "/bar",
-        extractDir: "/",
-      }),
-    ).toBe("this/stuff/foo.txt");
-    expect(
-      normalizePath({
-        filePath: "/handles//extra-slashes",
-        cwd: "/",
-        extractDir: "/",
-      }),
-    ).toBe("handles/extra-slashes");
-  });
-
-  it("resolves relative paths", () => {
-    expect(
-      normalizePath({
-        filePath: "/../../../foo.txt",
-        cwd: "/",
-        extractDir: "/",
-      }),
-    ).toBe("foo.txt");
-    expect(
-      normalizePath({
-        filePath: "../../../../foo.txt",
-        cwd: "/vercel/sandbox",
-        extractDir: "/",
-      }),
-    ).toBe("foo.txt");
-    expect(
-      normalizePath({
-        filePath: "../foo.txt",
-        cwd: "/vercel/sandbox",
-        extractDir: "/",
-      }),
-    ).toBe("vercel/foo.txt");
-  });
-
-  it("validates the cwd", () => {
-    expect(() => {
-      normalizePath({
-        filePath: "doesn't matter",
-        cwd: "relative/root",
-        extractDir: "/",
-      });
-    }).toThrow("cwd dir must be absolute");
-  });
-
-  it("validates the cwd", () => {
-    expect(() => {
-      normalizePath({
-        filePath: "doesn't matter",
-        cwd: "/",
-        extractDir: "some/relative/path",
-      });
-    }).toThrow("extractDir must be absolute");
-  });
-});

package/src/utils/normalizePath.ts

@@ -1,33 +0,0 @@
-import path from "path";
-
-/**
- * Normalize a path and make it relative to `params.extractDir` for inclusion
- * in our tar archives.
- *
- * Relative paths are first resolved to `params.cwd`.
- * Absolute paths are normalized and resolved relative to `params.extractDir`.
- *
- * In addition, paths are normalized so consecutive slashes are removed and
- * stuff like `../..` is resolved appropriately.
- *
- * This function always returns a path relative to `params.extractDir`.
- */
-export function normalizePath(params: {
-  filePath: string;
-  cwd: string;
-  extractDir: string;
-}) {
-  if (!path.posix.isAbsolute(params.cwd)) {
-    throw new Error("cwd dir must be absolute");
-  }
-
-  if (!path.posix.isAbsolute(params.extractDir)) {
-    throw new Error("extractDir must be absolute");
-  }
-
-  const basePath = path.posix.isAbsolute(params.filePath)
-    ? path.posix.normalize(params.filePath)
-    : path.posix.join(params.cwd, params.filePath);
-
-  return path.posix.relative(params.extractDir, basePath);
-}

package/src/utils/resolveSignal.ts

@@ -1,24 +0,0 @@
-const linuxSignalMapping = {
-  SIGHUP: 1,
-  SIGINT: 2,
-  SIGQUIT: 3,
-  SIGKILL: 9,
-  SIGTERM: 15,
-  SIGCONT: 18,
-  SIGSTOP: 19,
-} as const;
-
-type CommonLinuxSignals = keyof typeof linuxSignalMapping;
-
-export type Signal = CommonLinuxSignals | number;
-
-export function resolveSignal(signal: Signal): number {
-  if (typeof signal === "number") {
-    return signal;
-  }
-
-  if (signal in linuxSignalMapping) {
-    return linuxSignalMapping[signal];
-  }
-  throw new Error(`Unknown signal name: ${String(signal)}`);
-}

package/src/utils/types.test.js

@@ -1,7 +0,0 @@
-import { expect, it } from "vitest";
-import { getPrivateParams } from "./types";
-
-it("getPrivateParams filters unknown params", async () => {
-  const result = getPrivateParams({ foo: 123, __someParam: "abc" });
-  expect(result).toEqual({ __someParam: "abc" });
-});

package/src/utils/types.ts

@@ -1,23 +0,0 @@
-/**
- * Utility type that extends a type to accept private parameters.
- *
- * The private parameters can then be extracted out of the object using
- * `getPrivateParams`.
- */
-export type WithPrivate<T> = T & {
-  [K in `__${string}`]?: unknown;
-};
-
-/**
- * Extract private parameters out of an object.
- */
-export const getPrivateParams = (params?: object) => {
-  const privateEntries = Object.entries(params ?? {}).filter(([k]) =>
-    k.startsWith("__"),
-  );
-  return Object.fromEntries(privateEntries) as {
-    [K in keyof typeof params as K extends `__${string}`
-      ? K
-      : never]: (typeof params)[K];
-  };
-};

package/src/version.ts

@@ -1,2 +0,0 @@
-// Autogenerated by inject-version.ts
-export const VERSION = "1.2.0";

package/test-utils/mock-response.ts

@@ -1,12 +0,0 @@
-export function createNdjsonStream(
-  lines: object[],
-): ReadableStream<Uint8Array> {
-  const encoder = new TextEncoder();
-  const ndjson = lines.map((line) => JSON.stringify(line)).join("\n") + "\n";
-  return new ReadableStream({
-    start(controller) {
-      controller.enqueue(encoder.encode(ndjson));
-      controller.close();
-    },
-  });
-}

package/tsconfig.json

@@ -1,16 +0,0 @@
-{
-  "compilerOptions": {
-    "outDir": "./dist",
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "lib": ["ESNext"],
-    "strict": true,
-    "target": "ES2020",
-    "declaration": true,
-    "sourceMap": true,
-    "module": "commonjs",
-    "resolveJsonModule": true
-  },
-  "include": ["src/**/*.ts"],
-  "exclude": ["src/**/*.test.ts", "vitest.config.ts", "vitest.setup.ts"]
-}

package/turbo.json

@@ -1,9 +0,0 @@
-{
-  "extends": ["//"],
-  "tasks": {
-    "version:bump": {
-      "inputs": ["package.json"],
-      "outputs": ["src/version.ts"]
-    }
-  }
-}