@zapier/zapier-sdk-cli 0.47.0 → 0.48.0

package/dist/src/utils/auth/oauth-flow.d.ts

@@ -0,0 +1,12 @@
+import { type PkceCredentials } from "../../login";
+export interface OauthTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+}
+export interface RunOauthFlowOptions {
+    timeoutMs?: number;
+    pkceCredentials?: PkceCredentials;
+    baseUrl?: string;
+}
+export declare function runOauthFlow({ timeoutMs, pkceCredentials, baseUrl, }: RunOauthFlowOptions): Promise<OauthTokens>;

package/dist/src/utils/auth/{login.js → oauth-flow.js}

@@ -7,8 +7,7 @@ import { spinPromise } from "../spinner";
 import log from "../log";
 import api from "../api/client";
 import getCallablePromise from "../getCallablePromise";
-import inquirer from "inquirer";
-import { updateLogin, logout, getPkceLoginConfig, getLoginStorageMode, getConfigPath, } from "../../login";
+import { getPkceLoginConfig } from "../../login";
 import { ZapierCliUserCancellationError } from "../errors";
 const findAvailablePort = () => {
     return new Promise((resolve, reject) => {
@@ -21,11 +20,9 @@ const findAvailablePort = () => {
             server.on("error", (err) => {
                 if (err.code === "EADDRINUSE") {
                     if (portIndex < LOGIN_PORTS.length) {
-                        // Try next predefined port
                         tryPort(LOGIN_PORTS[portIndex++]);
                     }
                     else {
-                        // All configured ports are busy
                         reject(new Error(`All configured OAuth callback ports are busy: ${LOGIN_PORTS.join(", ")}. Please try again later or close applications using these ports.`));
                     }
                 }
@@ -45,41 +42,54 @@ const findAvailablePort = () => {
 const generateRandomString = () => {
     const array = new Uint32Array(28);
     crypto.getRandomValues(array);
-    return Array.from(array, (dec) => ("0" + dec.toString(16)).substring(-2)).join("");
+    return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join("");
 };
-// Ensure offline_access is included in scope for PKCE (needed for refresh tokens)
 function ensureOfflineAccess(scope) {
     if (scope.includes("offline_access")) {
         return scope;
     }
     return `${scope} offline_access`;
 }
-const login = async ({ timeoutMs = LOGIN_TIMEOUT_MS, credentials, }) => {
+// Does not persist anything — caller decides what to do with the tokens.
+export async function runOauthFlow({ timeoutMs = LOGIN_TIMEOUT_MS, pkceCredentials, baseUrl, }) {
     const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
-        credentials,
+        credentials: pkceCredentials,
+        baseUrl,
     });
-    const scope = ensureOfflineAccess(credentials?.scope || "internal credentials");
-    await logout();
-    // Find an available port
+    const scope = ensureOfflineAccess(pkceCredentials?.scope || "internal credentials");
     const availablePort = await findAvailablePort();
     const redirectUri = `http://localhost:${availablePort}/oauth`;
     log.info(`Using port ${availablePort} for OAuth callback`);
     const { promise: promisedCode, resolve: setCode, reject: rejectCode, } = getCallablePromise();
-    const app = express();
-    app.get("/oauth", (req, res) => {
-        setCode(String(req.query.code));
-        // Set headers to prevent keep-alive
+    const oauthState = generateRandomString();
+    const expressApp = express();
+    expressApp.get("/oauth", (req, res) => {
         res.setHeader("Connection", "close");
+        if (req.query.state !== oauthState) {
+            rejectCode(new Error("OAuth state mismatch — possible CSRF"));
+            res.status(400).end("Invalid state. You can close this tab.");
+            return;
+        }
+        if (req.query.error) {
+            const desc = req.query.error_description ?? req.query.error;
+            rejectCode(new Error(`Authorization denied: ${desc}`));
+            res.end("Authorization was denied. You can close this tab.");
+            return;
+        }
+        if (!req.query.code) {
+            rejectCode(new Error("No authorization code received"));
+            res.end("No authorization code received. You can close this tab.");
+            return;
+        }
+        setCode(String(req.query.code));
         res.end("You can now close this tab and return to the CLI.");
     });
-    const server = app.listen(availablePort);
-    // Track connections to force close them if needed
+    const server = expressApp.listen(availablePort);
     const connections = new Set();
     server.on("connection", (conn) => {
         connections.add(conn);
         conn.on("close", () => connections.delete(conn));
     });
-    // Set up signal handlers for graceful shutdown
     const cleanup = () => {
         server.close();
         log.info("\n❌ Login cancelled by user");
@@ -93,14 +103,13 @@ const login = async ({ timeoutMs = LOGIN_TIMEOUT_MS, credentials, }) => {
         client_id: clientId,
         redirect_uri: redirectUri,
         scope,
-        state: generateRandomString(),
+        state: oauthState,
         code_challenge: codeChallenge,
         code_challenge_method: "S256",
     }).toString()}`;
     log.info("Opening your browser to log in.");
     log.info("If it doesn't open, visit:", authUrl);
     open(authUrl);
-    // Track the timeout timer so we can cancel it after login succeeds
     let timeoutTimer;
     try {
         await spinPromise(Promise.race([
@@ -113,21 +122,17 @@ const login = async ({ timeoutMs = LOGIN_TIMEOUT_MS, credentials, }) => {
         ]), "Waiting for you to login and authorize");
     }
     finally {
-        // Clear the timeout timer to prevent it from keeping the process alive
         if (timeoutTimer) {
             clearTimeout(timeoutTimer);
         }
-        // Remove signal handlers
         process.off("SIGINT", cleanup);
         process.off("SIGTERM", cleanup);
-        // Close server with timeout and force-close connections if needed
         await new Promise((resolve) => {
             const timeout = setTimeout(() => {
                 log.info("Server close timed out, forcing connection shutdown...");
-                // Force close all connections
                 connections.forEach((conn) => conn.destroy());
                 resolve();
-            }, 1000); // 1 second timeout
+            }, 1000);
             server.close(() => {
                 clearTimeout(timeout);
                 resolve();
@@ -147,37 +152,10 @@ const login = async ({ timeoutMs = LOGIN_TIMEOUT_MS, credentials, }) => {
             "Content-Type": "application/x-www-form-urlencoded",
         },
     });
-    let targetStorage;
-    if (getLoginStorageMode() === "config") {
-        const { upgrade } = await inquirer.prompt([
-            {
-                type: "confirm",
-                name: "upgrade",
-                message: "Would you like to upgrade to system keychain storage? " +
-                    "This is recommended to securely store your credentials. " +
-                    "However, note that older SDK/CLI versions will NOT be able to read these credentials, " +
-                    "so you will want to upgrade them to the latest version.",
-                default: true,
-            },
-        ]);
-        targetStorage = upgrade ? "keychain" : "config";
-    }
-    else {
-        targetStorage = "keychain";
-    }
-    try {
-        await updateLogin(data, { storage: targetStorage });
-    }
-    catch (err) {
-        if (targetStorage === "keychain") {
-            log.warn(`Could not store credentials in system keychain. Storing in plaintext at ${getConfigPath()}.`);
-            await updateLogin(data, { storage: "config" });
-        }
-        else {
-            throw err;
-        }
-    }
     log.info("Token exchange completed successfully");
-    return data.access_token;
-};
-export default login;
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresIn: data.expires_in,
+    };
+}

package/dist/src/utils/retry.d.ts

@@ -0,0 +1,5 @@
+export declare function withRetry<T>({ action, attempts, initialDelayMs, }: {
+    action: () => Promise<T>;
+    attempts?: number;
+    initialDelayMs?: number;
+}): Promise<T>;

package/dist/src/utils/retry.js

@@ -0,0 +1,21 @@
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+export async function withRetry({ action, attempts = 3, initialDelayMs = 100, }) {
+    if (attempts <= 0) {
+        throw new Error("withRetry: attempts must be greater than 0");
+    }
+    let lastError;
+    for (let i = 0; i < attempts; i++) {
+        try {
+            return await action();
+        }
+        catch (err) {
+            lastError = err;
+            if (i < attempts - 1) {
+                await sleep(initialDelayMs * 2 ** i);
+            }
+        }
+    }
+    throw lastError;
+}