@zapier/zapier-sdk-cli 0.42.1 → 0.43.0

package/dist/index.mjs

@@ -1,8 +1,14 @@
-import * as cliLogin from '@zapier/zapier-sdk-cli-login';
-import { logout, getConfigPath, getLoggedInUser, getPkceLoginConfig, AUTH_MODE_HEADER, getLoginStorageMode, updateLogin } from '@zapier/zapier-sdk-cli-login';
+import Conf from 'conf';
+import * as fs from 'fs';
+import { existsSync, mkdirSync, writeFileSync, promises, createWriteStream, readdirSync, rmSync, copyFileSync, readFileSync } from 'fs';
+import * as jwt from 'jsonwebtoken';
+import { deletePassword, setPassword, getPassword, getKeyring } from 'cross-keychain';
+import crypto, { createHash } from 'crypto';
+import * as path from 'path';
+import { dirname, resolve, join, basename, relative, extname } from 'path';
+import * as lockfile from 'proper-lockfile';
 import { createFunction, OutputPropertySchema, DEFAULT_CONFIG_PATH, injectCliLogin, createZapierSdk, getOsInfo, getPlatformVersions, getCiPlatform, isCi, ZapierValidationError, ZapierUnknownError, getReleaseId, getCurrentTimestamp, generateEventId, batch, toSnakeCase, buildApplicationLifecycleEvent, ZapierError, isCredentialsObject } from '@zapier/zapier-sdk';
 import open from 'open';
-import crypto, { createHash } from 'crypto';
 import express from 'express';
 import pkceChallenge from 'pkce-challenge';
 import ora from 'ora';
@@ -11,10 +17,6 @@ import inquirer from 'inquirer';
 import { z } from 'zod';
 import { startMcpServer } from '@zapier/zapier-sdk-mcp';
 import { buildSync } from 'esbuild';
-import * as fs from 'fs';
-import { promises, createWriteStream, existsSync, readdirSync, rmSync, mkdirSync, writeFileSync, copyFileSync, readFileSync } from 'fs';
-import * as path from 'path';
-import { resolve, join, dirname, basename, relative, extname } from 'path';
 import { mkdir, writeFile, access } from 'fs/promises';
 import * as ts from 'typescript';
 import 'is-installed-globally';
@@ -22,7 +24,586 @@ import { execSync } from 'child_process';
 import Handlebars from 'handlebars';
 import { fileURLToPath } from 'url';
 
-// src/sdk.ts
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/login.ts
+var login_exports = {};
+__export(login_exports, {
+  AUTH_MODE_HEADER: () => AUTH_MODE_HEADER,
+  ZapierAuthenticationError: () => ZapierAuthenticationError,
+  createCache: () => createCache,
+  getAuthAuthorizeUrl: () => getAuthAuthorizeUrl,
+  getAuthTokenUrl: () => getAuthTokenUrl,
+  getConfig: () => getConfig,
+  getConfigPath: () => getConfigPath,
+  getLoggedInUser: () => getLoggedInUser,
+  getLoginStorageMode: () => getLoginStorageMode,
+  getPkceLoginConfig: () => getPkceLoginConfig,
+  getToken: () => getToken,
+  logout: () => logout,
+  unloadConfig: () => unloadConfig,
+  updateLogin: () => updateLogin
+});
+var SERVICE = "zapier-sdk-cli";
+var ACCOUNT = "login";
+var cachedBackendInfo;
+async function getBackendInfo() {
+  if (!cachedBackendInfo) {
+    const keyring = await getKeyring();
+    cachedBackendInfo = `${keyring.name} (${keyring.id})`;
+  }
+  return cachedBackendInfo;
+}
+var keychainQueue = Promise.resolve();
+function enqueue(fn) {
+  const result = keychainQueue.then(fn, fn);
+  keychainQueue = result.then(
+    () => {
+    },
+    () => {
+    }
+  );
+  return result;
+}
+async function getTokensFromKeychain({
+  debugLog
+} = {}) {
+  return enqueue(async () => {
+    const backendInfo = await getBackendInfo();
+    debugLog?.(`Keychain read via ${backendInfo}`);
+    const startTime = Date.now();
+    const raw = await getPassword(SERVICE, ACCOUNT);
+    debugLog?.(`Keychain read completed in ${Date.now() - startTime}ms`);
+    if (!raw) {
+      debugLog?.("Keychain returned no data");
+      return void 0;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      debugLog?.("Keychain data is not valid JSON");
+      return void 0;
+    }
+    if (typeof parsed.login_jwt === "string" && typeof parsed.login_refresh_token === "string") {
+      return {
+        login_jwt: parsed.login_jwt,
+        login_refresh_token: parsed.login_refresh_token
+      };
+    }
+    debugLog?.("Keychain data has invalid shape", parsed);
+    return void 0;
+  });
+}
+async function setTokensInKeychain({
+  data,
+  debugLog
+}) {
+  return enqueue(async () => {
+    const backendInfo = await getBackendInfo();
+    debugLog?.(`Keychain write via ${backendInfo}`);
+    const startTime = Date.now();
+    await setPassword(SERVICE, ACCOUNT, JSON.stringify(data));
+    debugLog?.(`Keychain write completed in ${Date.now() - startTime}ms`);
+  });
+}
+async function clearTokensFromKeychain({
+  debugLog
+} = {}) {
+  return enqueue(async () => {
+    try {
+      const backendInfo = await getBackendInfo();
+      debugLog?.(`Keychain clear via ${backendInfo}`);
+      await deletePassword(SERVICE, ACCOUNT);
+    } catch {
+    }
+  });
+}
+var SERVICE2 = "zapier-sdk-cache";
+var CONFIG_KEY = "cache";
+var LOCK_UPDATE_MS = 5e3;
+var LOCK_STALE_MS = 1e4;
+var LOCK_RETRY_WAIT_MS = 100;
+var LOCK_RETRY_MAX_WAIT_MS = 1e3;
+var LOCK_RETRY_COUNT = 120;
+function keychainAccount(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+function readConfigMap() {
+  const cfg = getConfig();
+  const stored = cfg.get(CONFIG_KEY);
+  if (stored && typeof stored === "object") {
+    return stored;
+  }
+  return {};
+}
+function writeConfigMap(map) {
+  getConfig().set(CONFIG_KEY, map);
+}
+function entryIsExpired(entry) {
+  return entry.expires_at !== void 0 && entry.expires_at <= Date.now();
+}
+function createCache() {
+  return {
+    async get(key) {
+      const entry = readConfigMap()[key];
+      if (!entry) return void 0;
+      if (entryIsExpired(entry)) return void 0;
+      if (entry.secret) {
+        const stored = await enqueue(async () => {
+          await getBackendInfo();
+          return getPassword(SERVICE2, keychainAccount(key));
+        });
+        if (!stored) {
+          return void 0;
+        }
+        return { value: stored, expiresAt: entry.expires_at };
+      }
+      if (entry.value === void 0) return void 0;
+      return { value: entry.value, expiresAt: entry.expires_at };
+    },
+    async set(key, value, options) {
+      const secret = options?.secret ?? false;
+      const expiresAt = options?.ttl ? Date.now() + options.ttl * 1e3 : void 0;
+      if (secret) {
+        try {
+          await enqueue(async () => {
+            await getBackendInfo();
+            await setPassword(SERVICE2, keychainAccount(key), value);
+          });
+        } catch {
+          return;
+        }
+        const map = readConfigMap();
+        map[key] = { secret: true, expires_at: expiresAt };
+        try {
+          writeConfigMap(map);
+        } catch {
+        }
+      } else {
+        const map = readConfigMap();
+        map[key] = { secret: false, value, expires_at: expiresAt };
+        try {
+          writeConfigMap(map);
+        } catch {
+        }
+      }
+    },
+    async delete(key) {
+      const map = readConfigMap();
+      const entry = map[key];
+      if (entry) {
+        delete map[key];
+        try {
+          writeConfigMap(map);
+        } catch {
+        }
+      }
+      if (entry?.secret) {
+        try {
+          await enqueue(async () => {
+            await getBackendInfo();
+            await deletePassword(SERVICE2, keychainAccount(key));
+          });
+        } catch {
+        }
+      }
+    },
+    async withLock(_key, fn) {
+      const cfg = getConfig();
+      const lockTarget = `${cfg.path}.cache-lock`;
+      try {
+        mkdirSync(dirname(lockTarget), { recursive: true });
+        if (!existsSync(lockTarget)) {
+          writeFileSync(lockTarget, "");
+        }
+      } catch {
+        return fn();
+      }
+      let release = null;
+      try {
+        release = await lockfile.lock(lockTarget, {
+          stale: LOCK_STALE_MS,
+          update: LOCK_UPDATE_MS,
+          retries: {
+            retries: LOCK_RETRY_COUNT,
+            factor: 1.2,
+            minTimeout: LOCK_RETRY_WAIT_MS,
+            maxTimeout: LOCK_RETRY_MAX_WAIT_MS
+          }
+        });
+      } catch {
+        return fn();
+      }
+      try {
+        return await fn();
+      } finally {
+        try {
+          await release();
+        } catch {
+        }
+      }
+    }
+  };
+}
+
+// src/login/index.ts
+var ZapierAuthenticationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ZapierAuthenticationError";
+  }
+};
+var config = null;
+var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
+var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+function createDebugLog(enabled) {
+  if (!enabled) {
+    return () => {
+    };
+  }
+  return (message, data) => {
+    if (data === void 0) {
+      console.log(`[Zapier SDK CLI Login] ${message}`);
+    } else {
+      console.log(`[Zapier SDK CLI Login] ${message}`, data);
+    }
+  };
+}
+function censorHeaderValue(value) {
+  if (value.length > 12) {
+    return `${value.substring(0, 4)}...${value.substring(value.length - 4)}`;
+  }
+  return `${value.charAt(0)}...`;
+}
+function getAuthClientId(clientId) {
+  return clientId || DEFAULT_AUTH_CLIENT_ID;
+}
+var AUTH_MODE_HEADER = "X-Auth";
+var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+function getAuthTokenUrl(options) {
+  const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
+  return `${authBaseUrl}/oauth/token/`;
+}
+function getAuthAuthorizeUrl(options) {
+  const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
+  return `${authBaseUrl}/oauth/authorize/`;
+}
+function getPkceLoginConfig(options) {
+  return {
+    clientId: getAuthClientId(options?.credentials?.clientId),
+    tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
+    authorizeUrl: getAuthAuthorizeUrl({
+      baseUrl: options?.credentials?.baseUrl
+    })
+  };
+}
+var cachedLogin;
+function getConfig() {
+  if (!config) {
+    config = new Conf({ projectName: "zapier-sdk-cli" });
+    if (!config.has("login_storage_mode")) {
+      config.set(
+        "login_storage_mode",
+        existsSync(config.path) ? "config" : "keychain"
+      );
+    }
+  }
+  return config;
+}
+function unloadConfig() {
+  config = null;
+  cachedLogin = void 0;
+}
+async function updateLogin(loginData, options = {}) {
+  const debugLog = createDebugLog(options.debug ?? false);
+  const storage = options.storage ?? cachedLogin?.storage ?? "keychain";
+  const expiresAt = Date.now() + loginData.expires_in * 1e3;
+  const cfg = getConfig();
+  cfg.set("login_storage_mode", storage);
+  if (storage === "keychain") {
+    await setTokensInKeychain({
+      data: {
+        login_jwt: loginData.access_token,
+        login_refresh_token: loginData.refresh_token
+      },
+      debugLog
+    });
+    cfg.set("login_expires_at", expiresAt);
+    cfg.delete("login_jwt");
+    cfg.delete("login_refresh_token");
+  } else {
+    cfg.set("login_jwt", loginData.access_token);
+    cfg.set("login_refresh_token", loginData.refresh_token);
+    cfg.set("login_expires_at", expiresAt);
+    await clearTokensFromKeychain({ debugLog });
+  }
+  cachedLogin = {
+    jwt: loginData.access_token,
+    refreshToken: loginData.refresh_token,
+    expiresAt,
+    storage
+  };
+}
+function decodeJwtOrThrow(token) {
+  if (typeof token !== "string") {
+    throw new Error("Expected JWT to be a string");
+  }
+  const decodedJwt = jwt.decode(token, { complete: true });
+  if (!decodedJwt) {
+    throw new Error("Could not decode JWT");
+  }
+  if (typeof decodedJwt.payload === "string") {
+    throw new Error("Did not expect JWT payload to be a string");
+  }
+  return decodedJwt;
+}
+async function refreshJwt(refreshToken, options = {}) {
+  const {
+    onEvent,
+    fetch: fetch2 = globalThis.fetch,
+    credentials,
+    debug = false
+  } = options;
+  const debugLog = createDebugLog(debug);
+  const tokenUrl = getAuthTokenUrl({ baseUrl: credentials?.baseUrl });
+  const clientId = getAuthClientId(credentials?.clientId);
+  const startTime = Date.now();
+  try {
+    onEvent?.({
+      type: "auth_refreshing",
+      payload: {
+        message: "Refreshing your token...",
+        operation: "token_refresh"
+      },
+      timestamp: Date.now()
+    });
+    debugLog(`\u2192 POST ${tokenUrl}`, {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        [AUTH_MODE_HEADER]: "no"
+      },
+      body: {
+        client_id: clientId,
+        refresh_token: censorHeaderValue(refreshToken),
+        grant_type: "refresh_token"
+      }
+    });
+    const response = await fetch2(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        [AUTH_MODE_HEADER]: "no"
+      },
+      body: new URLSearchParams({
+        client_id: clientId,
+        refresh_token: refreshToken,
+        grant_type: "refresh_token"
+      })
+    });
+    const duration = Date.now() - startTime;
+    if (!response.ok) {
+      debugLog(`\u2190 ${response.status} ${response.statusText} (${duration}ms)`);
+      throw new Error(
+        `Token refresh failed: ${response.status} ${response.statusText}`
+      );
+    }
+    debugLog(`\u2190 ${response.status} ${response.statusText} (${duration}ms)`);
+    const data = await response.json();
+    await updateLogin(data, { debug });
+    debugLog(
+      `Token refreshed and saved to ${cachedLogin?.storage ?? "keychain"}`
+    );
+    onEvent?.({
+      type: "auth_success",
+      payload: {
+        message: "Token refreshed successfully",
+        operation: "token_refresh"
+      },
+      timestamp: Date.now()
+    });
+    return data.access_token;
+  } catch (error) {
+    const duration = Date.now() - startTime;
+    debugLog(`\u2716 Token refresh failed (${duration}ms)`, {
+      error: error instanceof Error ? error.message : error
+    });
+    cachedLogin = void 0;
+    const errorMessage = `Token refresh failed: ${error instanceof Error ? error.message : "Unknown error"}`;
+    onEvent?.({
+      type: "auth_error",
+      payload: {
+        message: errorMessage,
+        error: errorMessage,
+        operation: "token_refresh"
+      },
+      timestamp: Date.now()
+    });
+    throw error;
+  }
+}
+var pendingRefresh = null;
+var pendingResolve = null;
+async function resolveStoredLogin(debugLog) {
+  if (cachedLogin) {
+    debugLog("Using in-memory cached credentials");
+    return cachedLogin;
+  }
+  if (pendingResolve) {
+    debugLog("Waiting for existing keychain read to complete");
+    return pendingResolve;
+  }
+  pendingResolve = resolveStoredLoginFromStorage(debugLog).finally(() => {
+    pendingResolve = null;
+  });
+  return pendingResolve;
+}
+async function resolveStoredLoginFromStorage(debugLog) {
+  let cfg;
+  try {
+    cfg = getConfig();
+  } catch (error) {
+    debugLog("Failed to load config", {
+      error: error instanceof Error ? error.message : error
+    });
+    return void 0;
+  }
+  const expiresAt = cfg.get("login_expires_at");
+  const configJwt = cfg.get("login_jwt");
+  const configRefresh = cfg.get("login_refresh_token");
+  if (configJwt && configRefresh && typeof expiresAt === "number") {
+    debugLog("Loaded credentials from config (legacy format)");
+    cachedLogin = {
+      jwt: configJwt,
+      refreshToken: configRefresh,
+      expiresAt,
+      storage: "config"
+    };
+    return cachedLogin;
+  }
+  if (typeof expiresAt !== "number") {
+    debugLog("No stored login credentials found");
+    return void 0;
+  }
+  const keychainData = await getTokensFromKeychain({ debugLog });
+  if (!keychainData) {
+    debugLog("No tokens found in keychain");
+    return void 0;
+  }
+  debugLog("Loaded credentials from keychain");
+  cachedLogin = {
+    jwt: keychainData.login_jwt,
+    refreshToken: keychainData.login_refresh_token,
+    expiresAt,
+    storage: "keychain"
+  };
+  return cachedLogin;
+}
+async function resolveOrRefreshToken(options = {}) {
+  const { debug = false } = options;
+  const debugLog = createDebugLog(debug);
+  const stored = await resolveStoredLogin(debugLog);
+  if (!stored) {
+    return void 0;
+  }
+  const { jwt: storedJwt, refreshToken, expiresAt } = stored;
+  if (expiresAt > Date.now() + TOKEN_REFRESH_BUFFER_MS) {
+    debugLog("Using cached token (still valid)");
+    return storedJwt;
+  }
+  debugLog("Token expired, refreshing...");
+  if (pendingRefresh) {
+    debugLog("Waiting for existing refresh to complete");
+    return pendingRefresh;
+  }
+  pendingRefresh = refreshJwt(refreshToken, options).finally(() => {
+    pendingRefresh = null;
+  });
+  return await pendingRefresh;
+}
+async function getToken(options = {}) {
+  try {
+    return await resolveOrRefreshToken(options);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Token refresh failed";
+    throw new ZapierAuthenticationError(
+      `${message}
+Please run 'login' to authenticate again.`
+    );
+  }
+}
+async function getLoggedInUser(options = {}) {
+  const jwt2 = await getToken(options).catch(() => void 0);
+  if (!jwt2) {
+    throw new Error(
+      "No valid authentication token available. Please login first."
+    );
+  }
+  let decodedJwt = decodeJwtOrThrow(jwt2);
+  if (decodedJwt.payload["sub_type"] == "service") {
+    decodedJwt = decodeJwtOrThrow(decodedJwt.payload["njwt"]);
+  }
+  if (typeof decodedJwt.payload["zap:acc"] !== "string") {
+    throw new Error("JWT payload does not contain accountId");
+  }
+  const accountId = parseInt(decodedJwt.payload["zap:acc"], 10);
+  if (isNaN(accountId)) {
+    throw new Error("JWT accountId is not a number");
+  }
+  if (decodedJwt.payload["sub_type"] !== "customuser" || typeof decodedJwt.payload["sub"] !== "string") {
+    throw new Error("JWT payload does not contain customUserId");
+  }
+  const customUserId = parseInt(decodedJwt.payload["sub"], 10);
+  if (isNaN(customUserId)) {
+    throw new Error("JWT customUserId is not a number");
+  }
+  const email = decodedJwt.payload["zap:uname"];
+  if (typeof email !== "string") {
+    throw new Error("JWT payload does not contain email");
+  }
+  return {
+    accountId,
+    customUserId,
+    email
+  };
+}
+function getLoginStorageMode() {
+  const cfg = getConfig();
+  if (typeof cfg.get("login_jwt") === "string") {
+    return "config";
+  }
+  const explicitMode = cfg.get("login_storage_mode");
+  if (explicitMode === "keychain" || explicitMode === "config") {
+    return explicitMode;
+  }
+  return "keychain";
+}
+async function logout(options = {}) {
+  const { onEvent } = options;
+  const mode = getLoginStorageMode();
+  cachedLogin = void 0;
+  await clearTokensFromKeychain();
+  const cfg = getConfig();
+  cfg.set("login_storage_mode", mode);
+  cfg.delete("login_expires_at");
+  cfg.delete("login_jwt");
+  cfg.delete("login_refresh_token");
+  onEvent?.({
+    type: "auth_logout",
+    payload: { message: "Logged out successfully", operation: "logout" },
+    timestamp: Date.now()
+  });
+}
+function getConfigPath() {
+  const cfg = getConfig();
+  return cfg.path;
+}
+
+// src/utils/constants.ts
 var LOGIN_PORTS = [49505, 50575, 52804, 55981, 61010, 63851];
 var LOGIN_TIMEOUT_MS = 3e5;
 var ZapierCliError = class extends ZapierError {
@@ -2469,10 +3050,10 @@ var initPlugin = () => {
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.42.1"};
+  version: "0.43.0"};
 
 // src/sdk.ts
-injectCliLogin(cliLogin);
+injectCliLogin(login_exports);
 function createZapierCliSdk(options = {}) {
   return createZapierSdk({
     ...options,
@@ -2483,7 +3064,7 @@ function createZapierCliSdk(options = {}) {
 
 // package.json
 var package_default2 = {
-  version: "0.42.1"};
+  version: "0.43.0"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {