@zapier/zapier-sdk-cli 0.52.12 → 0.53.0

package/dist/src/utils/auth/oauth-flow.js

@@ -1,90 +1,223 @@
-import open from "open";
-import crypto from "node:crypto";
 import express from "express";
-import pkceChallenge from "pkce-challenge";
-import { AUTH_MODE_HEADER, LOGIN_PORTS, LOGIN_TIMEOUT_MS } from "../constants";
-import { spinPromise } from "../spinner";
-import log from "../log";
-import api from "../api/client";
+import { createInterface } from "node:readline/promises";
+import open from "open";
+import { LOGIN_PORTS, LOGIN_TIMEOUT_MS } from "../constants";
+import { ZapierCliUserCancellationError, ZapierCliValidationError, } from "../errors";
 import getCallablePromise from "../getCallablePromise";
-import { getPkceLoginConfig } from "../../login";
-import { ZapierCliUserCancellationError } from "../errors";
-const findAvailablePort = () => {
+import log from "../log";
+import { spinPromise } from "../spinner";
+import { getCallbackCode } from "./oauth-callback";
+import { buildBrowserAuthUrl, exchangeOauthCode, OAUTH_LOOPBACK_HOST, prepareOauthTransaction, } from "./oauth-transaction";
+export { buildBrowserAuthUrl, OAUTH_LOOPBACK_HOST };
+class OauthFlowTimeoutError extends Error {
+    constructor(timeoutMs) {
+        super("OAuth flow timed out");
+        this.timeoutMs = timeoutMs;
+        this.name = "OauthFlowTimeoutError";
+    }
+}
+class OauthAuthorizationDeniedError extends Error {
+    constructor(reason) {
+        super("OAuth authorization denied");
+        this.reason = reason;
+        this.name = "OauthAuthorizationDeniedError";
+    }
+}
+function findAvailablePort() {
     return new Promise((resolve, reject) => {
         let portIndex = 0;
         const tryPort = (port) => {
-            const server = express().listen(port, () => {
+            const server = express().listen(port, OAUTH_LOOPBACK_HOST, () => {
                 server.close();
                 resolve(port);
             });
             server.on("error", (err) => {
-                if (err.code === "EADDRINUSE") {
-                    if (portIndex < LOGIN_PORTS.length) {
-                        tryPort(LOGIN_PORTS[portIndex++]);
-                    }
-                    else {
-                        reject(new Error(`All configured OAuth callback ports are busy: ${LOGIN_PORTS.join(", ")}. Please try again later or close applications using these ports.`));
-                    }
+                if (err.code === "EADDRINUSE" && portIndex < LOGIN_PORTS.length) {
+                    tryPort(LOGIN_PORTS[portIndex++]);
+                }
+                else if (err.code === "EADDRINUSE") {
+                    reject(new Error(`All configured OAuth callback ports are busy: ${LOGIN_PORTS.join(", ")}. Please try again later or close applications using these ports.`));
                 }
                 else {
                     reject(err);
                 }
             });
         };
-        if (LOGIN_PORTS.length > 0) {
+        if (LOGIN_PORTS.length > 0)
             tryPort(LOGIN_PORTS[portIndex++]);
-        }
-        else {
+        else
             reject(new Error("No OAuth callback ports configured"));
+    });
+}
+export async function runLoginOauthFlow(options) {
+    return runOauthFlowEntryPoint({
+        ...options,
+        entryPoint: "login",
+        authAction: "log in",
+        flowName: "Login",
+    });
+}
+export async function runSignupOauthFlow(options) {
+    if (options.headless) {
+        return runOauthFlowEntryPoint({
+            ...options,
+            entryPoint: "signup",
+            authAction: "sign up",
+            flowName: "Signup",
+            headless: true,
+        });
+    }
+    return runOauthFlowEntryPoint({
+        ...options,
+        entryPoint: "signup",
+        authAction: "sign up",
+        flowName: "Signup",
+    });
+}
+async function runOauthFlowEntryPoint({ flowName, ...options }) {
+    try {
+        return options.headless
+            ? await runHeadlessSignupOauthFlow(options)
+            : await runOauthFlow(options);
+    }
+    catch (error) {
+        if (error instanceof OauthFlowTimeoutError) {
+            throw new Error(withRecoveryMessage(`${flowName} timed out after ${Math.round(error.timeoutMs / 1000)} seconds.`, options.recoveryMessage));
         }
+        if (error instanceof OauthAuthorizationDeniedError) {
+            throw new Error(withRecoveryMessage(`Authorization denied: ${error.reason}.`, options.recoveryMessage));
+        }
+        if (error instanceof ZapierCliUserCancellationError && !options.silent) {
+            log.info(`\n❌ ${flowName} cancelled by user`);
+        }
+        throw error;
+    }
+}
+function withRecoveryMessage(message, recoveryMessage) {
+    return recoveryMessage ? `${message} ${recoveryMessage}` : message;
+}
+async function runOauthFlow({ timeoutMs = LOGIN_TIMEOUT_MS, pkceCredentials, baseUrl, entryPoint, authAction, silent = false, onProgress, }) {
+    const port = await findAvailablePort();
+    if (!silent)
+        log.info(`Using port ${port} for OAuth callback`);
+    const transaction = await prepareOauthTransaction({
+        pkceCredentials,
+        baseUrl,
+        redirectUri: `http://${OAUTH_LOOPBACK_HOST}:${port}/oauth`,
+        entryPoint,
+    });
+    const code = await collectLocalCallbackCode({
+        transaction,
+        timeoutMs,
+        authAction,
+        silent,
+        onProgress,
     });
-};
-const generateRandomString = () => {
-    const array = new Uint32Array(28);
-    crypto.getRandomValues(array);
-    return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join("");
-};
-function ensureOfflineAccess(scope) {
-    if (scope.includes("offline_access")) {
-        return scope;
+    onProgress?.({ type: "callback_accepted" });
+    if (!silent)
+        log.info("Exchanging authorization code for tokens...");
+    onProgress?.({ type: "token_exchange_started" });
+    const tokens = await exchangeOauthCode({ ...transaction, code });
+    if (!silent)
+        log.info("Token exchange completed successfully");
+    onProgress?.({ type: "token_exchange_completed" });
+    return tokens;
+}
+async function readHeadlessCallbackUrl({ timeoutMs, interactive, recoveryMessage, }) {
+    const timeoutMessage = withRecoveryMessage(`Signup timed out after ${Math.round(timeoutMs / 1000)} seconds.`, recoveryMessage);
+    const missingCallbackUrlMessage = withRecoveryMessage("Paste the final OAuth callback URL from your browser.", recoveryMessage);
+    // Keep TTY echo enabled for paste feedback; the PKCE code is single-use, verifier-protected, and exchanged immediately.
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const abortController = new AbortController();
+    const timeoutTimer = setTimeout(() => abortController.abort(), timeoutMs);
+    const readUrl = interactive
+        ? rl.question("Paste the final OAuth callback URL: ", {
+            signal: abortController.signal,
+        })
+        : new Promise((resolve, reject) => {
+            let settled = false;
+            const settleResolve = (value) => {
+                settled = true;
+                resolve(value);
+            };
+            const settleReject = (error) => {
+                if (settled)
+                    return;
+                settled = true;
+                reject(error);
+            };
+            abortController.signal.addEventListener("abort", () => settleReject(new Error(timeoutMessage)), { once: true });
+            rl.once("line", settleResolve);
+            rl.once("close", () => settleReject(new ZapierCliValidationError(missingCallbackUrlMessage)));
+            rl.once("error", settleReject);
+        });
+    try {
+        return await readUrl.catch((error) => {
+            if (error instanceof Error && error.name === "AbortError") {
+                throw new Error(timeoutMessage);
+            }
+            throw error;
+        });
+    }
+    finally {
+        clearTimeout(timeoutTimer);
+        rl.close();
     }
-    return `${scope} offline_access`;
 }
-// Does not persist anything — caller decides what to do with the tokens.
-export async function runOauthFlow({ timeoutMs = LOGIN_TIMEOUT_MS, pkceCredentials, baseUrl, }) {
-    const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
-        credentials: pkceCredentials,
+async function runHeadlessSignupOauthFlow({ timeoutMs = LOGIN_TIMEOUT_MS, pkceCredentials, baseUrl, interactive = true, onProgress, recoveryMessage, }) {
+    const port = LOGIN_PORTS[0];
+    if (port === undefined) {
+        throw new Error("No OAuth callback ports configured");
+    }
+    const transaction = await prepareOauthTransaction({
+        pkceCredentials,
         baseUrl,
+        redirectUri: `http://${OAUTH_LOOPBACK_HOST}:${port}/oauth`,
+        entryPoint: "signup",
+    });
+    console.log("Use this mode when signing up from a machine that has no browser.");
+    console.log("Open this signup URL in a browser on another machine:");
+    console.log(transaction.browserAuthUrl);
+    console.log(`When the browser lands on ${transaction.redirectUri} and cannot connect, paste the full final URL back here.`);
+    const callbackUrl = await readHeadlessCallbackUrl({
+        timeoutMs,
+        interactive,
+        recoveryMessage,
     });
-    const scope = ensureOfflineAccess(pkceCredentials?.scope || "internal credentials");
-    const availablePort = await findAvailablePort();
-    const redirectUri = `http://localhost:${availablePort}/oauth`;
-    log.info(`Using port ${availablePort} for OAuth callback`);
-    const { promise: promisedCode, resolve: setCode, reject: rejectCode, } = getCallablePromise();
-    const oauthState = generateRandomString();
-    const expressApp = express();
-    expressApp.get("/oauth", (req, res) => {
+    const code = getCallbackCode({
+        callbackUrl,
+        transaction,
+        recoveryMessage,
+    });
+    onProgress?.({ type: "callback_accepted" });
+    console.log("Exchanging authorization code for tokens...");
+    onProgress?.({ type: "token_exchange_started" });
+    const tokens = await exchangeOauthCode({ ...transaction, code });
+    onProgress?.({ type: "token_exchange_completed" });
+    return tokens;
+}
+async function collectLocalCallbackCode({ transaction, timeoutMs, authAction, silent, onProgress, }) {
+    const { promise, resolve, reject } = getCallablePromise();
+    const app = express();
+    app.get("/oauth", (req, res) => {
         res.setHeader("Connection", "close");
-        if (req.query.state !== oauthState) {
-            rejectCode(new Error("OAuth state mismatch — possible CSRF"));
+        if (req.query.state !== transaction.state) {
             res.status(400).end("Invalid state. You can close this tab.");
-            return;
         }
-        if (req.query.error) {
-            const desc = req.query.error_description ?? req.query.error;
-            rejectCode(new Error(`Authorization denied: ${desc}`));
+        else if (req.query.error) {
+            reject(new OauthAuthorizationDeniedError(String(req.query.error_description ?? req.query.error)));
             res.end("Authorization was denied. You can close this tab.");
-            return;
         }
-        if (!req.query.code) {
-            rejectCode(new Error("No authorization code received"));
+        else if (!req.query.code) {
+            reject(new Error("No authorization code received"));
             res.end("No authorization code received. You can close this tab.");
-            return;
         }
-        setCode(String(req.query.code));
-        res.end("You can now close this tab and return to the CLI.");
+        else {
+            resolve(String(req.query.code));
+            res.end("You can now close this tab and return to the CLI.");
+        }
     });
-    const server = expressApp.listen(availablePort);
+    const server = app.listen(Number(new URL(transaction.redirectUri).port), OAUTH_LOOPBACK_HOST);
     const connections = new Set();
     server.on("connection", (conn) => {
         connections.add(conn);
@@ -92,70 +225,89 @@ export async function runOauthFlow({ timeoutMs = LOGIN_TIMEOUT_MS, pkceCredentia
     });
     const cleanup = () => {
         server.close();
-        log.info("\n❌ Login cancelled by user");
-        rejectCode(new ZapierCliUserCancellationError());
+        reject(new ZapierCliUserCancellationError());
     };
     process.on("SIGINT", cleanup);
     process.on("SIGTERM", cleanup);
-    const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
-    const authUrl = `${authorizeUrl}?${new URLSearchParams({
-        response_type: "code",
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        scope,
-        state: oauthState,
-        code_challenge: codeChallenge,
-        code_challenge_method: "S256",
-    }).toString()}`;
-    log.info("Opening your browser to log in.");
-    log.info("If it doesn't open, visit:", authUrl);
-    open(authUrl);
     let timeoutTimer;
     try {
-        await spinPromise(Promise.race([
-            promisedCode,
-            new Promise((_resolve, reject) => {
+        await waitForServerListening(server);
+        await openBrowser({ transaction, authAction, silent, onProgress });
+        const waitForCode = Promise.race([
+            promise,
+            new Promise((_resolve, rejectTimeout) => {
                 timeoutTimer = setTimeout(() => {
-                    reject(new Error(`Login timed out after ${Math.round(timeoutMs / 1000)} seconds.`));
+                    rejectTimeout(new OauthFlowTimeoutError(timeoutMs));
                 }, timeoutMs);
             }),
-        ]), "Waiting for you to login and authorize");
+        ]);
+        onProgress?.({ type: "callback_waiting" });
+        return silent
+            ? await waitForCode
+            : await spinPromise(waitForCode, `Waiting for you to ${authAction} and authorize`);
     }
     finally {
-        if (timeoutTimer) {
+        if (timeoutTimer)
             clearTimeout(timeoutTimer);
-        }
         process.off("SIGINT", cleanup);
         process.off("SIGTERM", cleanup);
-        await new Promise((resolve) => {
-            const timeout = setTimeout(() => {
-                log.info("Server close timed out, forcing connection shutdown...");
-                connections.forEach((conn) => conn.destroy());
-                resolve();
-            }, 1000);
-            server.close(() => {
-                clearTimeout(timeout);
-                resolve();
-            });
+        await closeServer({ server, connections, silent });
+    }
+}
+async function waitForServerListening(server) {
+    if (server.listening)
+        return;
+    await new Promise((resolve, reject) => {
+        const cleanup = () => {
+            server.off("listening", handleListening);
+            server.off("error", handleError);
+        };
+        const handleListening = () => {
+            cleanup();
+            resolve();
+        };
+        const handleError = (error) => {
+            cleanup();
+            reject(error);
+        };
+        server.once("listening", handleListening);
+        server.once("error", handleError);
+    });
+}
+async function openBrowser({ transaction, authAction, silent, onProgress, }) {
+    if (!silent) {
+        log.info(`Opening your browser to ${authAction}.`);
+        log.info("If it doesn't open, visit:", transaction.browserAuthUrl);
+    }
+    onProgress?.({ type: "browser_opening", url: transaction.browserAuthUrl });
+    try {
+        await open(transaction.browserAuthUrl);
+        onProgress?.({ type: "browser_opened", url: transaction.browserAuthUrl });
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        if (!silent) {
+            log.info(`Browser did not open automatically to ${authAction}: ${reason}`);
+            log.info("Visit this URL manually:", transaction.browserAuthUrl);
+        }
+        onProgress?.({
+            type: "browser_open_failed",
+            url: transaction.browserAuthUrl,
+            reason,
         });
     }
-    log.info("Exchanging authorization code for tokens...");
-    const { data } = await api.post(tokenUrl, {
-        grant_type: "authorization_code",
-        code: await promisedCode,
-        redirect_uri: redirectUri,
-        client_id: clientId,
-        code_verifier: codeVerifier,
-    }, {
-        headers: {
-            [AUTH_MODE_HEADER]: "no",
-            "Content-Type": "application/x-www-form-urlencoded",
-        },
+}
+async function closeServer({ server, connections, silent, }) {
+    await new Promise((resolve) => {
+        const timeout = setTimeout(() => {
+            if (!silent)
+                log.info("Server close timed out, forcing connection shutdown...");
+            connections.forEach((conn) => conn.destroy());
+            resolve();
+        }, 1000);
+        server.close(() => {
+            clearTimeout(timeout);
+            resolve();
+        });
     });
-    log.info("Token exchange completed successfully");
-    return {
-        accessToken: data.access_token,
-        refreshToken: data.refresh_token,
-        expiresIn: data.expires_in,
-    };
 }

package/dist/src/utils/auth/oauth-transaction.d.ts

@@ -0,0 +1,35 @@
+import { type PkceCredentials } from "../../login";
+export declare const OAUTH_LOOPBACK_HOST = "localhost";
+export interface OauthTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresIn: number;
+}
+export type OauthFlowEntryPoint = "login" | "signup";
+interface PrepareOauthTransactionOptions {
+    pkceCredentials?: PkceCredentials;
+    baseUrl?: string;
+    redirectUri: string;
+    entryPoint?: OauthFlowEntryPoint;
+}
+export interface OauthTransaction {
+    browserAuthUrl: string;
+    clientId: string;
+    codeVerifier: string;
+    redirectUri: string;
+    state: string;
+    tokenUrl: string;
+}
+export declare function buildBrowserAuthUrl({ authorizeUrl, entryPoint, }: {
+    authorizeUrl: string;
+    entryPoint?: OauthFlowEntryPoint;
+}): string;
+export declare function prepareOauthTransaction({ pkceCredentials, baseUrl, redirectUri, entryPoint, }: PrepareOauthTransactionOptions): Promise<OauthTransaction>;
+export declare function exchangeOauthCode({ tokenUrl, code, redirectUri, clientId, codeVerifier, }: {
+    tokenUrl: string;
+    code: string;
+    redirectUri: string;
+    clientId: string;
+    codeVerifier: string;
+}): Promise<OauthTokens>;
+export {};

package/dist/src/utils/auth/oauth-transaction.js

@@ -0,0 +1,69 @@
+import crypto from "node:crypto";
+import pkceChallenge from "pkce-challenge";
+import { AUTH_MODE_HEADER } from "../constants";
+import api from "../api/client";
+import { getPkceLoginConfig } from "../../login";
+export const OAUTH_LOOPBACK_HOST = "localhost";
+export function buildBrowserAuthUrl({ authorizeUrl, entryPoint = "login", }) {
+    if (entryPoint === "login")
+        return authorizeUrl;
+    const parsedAuthorizeUrl = new URL(authorizeUrl);
+    const signupUrl = new URL("/sign-up", parsedAuthorizeUrl);
+    signupUrl.searchParams.set("skipOnboarding", "true");
+    signupUrl.searchParams.set("next", `${parsedAuthorizeUrl.pathname}${parsedAuthorizeUrl.search}`);
+    return signupUrl.toString();
+}
+function generateRandomString() {
+    const array = new Uint32Array(28);
+    crypto.getRandomValues(array);
+    return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join("");
+}
+function ensureOfflineAccess(scope) {
+    if (scope.includes("offline_access"))
+        return scope;
+    return `${scope} offline_access`;
+}
+export async function prepareOauthTransaction({ pkceCredentials, baseUrl, redirectUri, entryPoint = "login", }) {
+    const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
+        credentials: pkceCredentials,
+        baseUrl,
+    });
+    const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
+    const state = generateRandomString();
+    const authUrl = `${authorizeUrl}?${new URLSearchParams({
+        response_type: "code",
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        scope: ensureOfflineAccess(pkceCredentials?.scope || "internal credentials"),
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: "S256",
+    }).toString()}`;
+    return {
+        browserAuthUrl: buildBrowserAuthUrl({ authorizeUrl: authUrl, entryPoint }),
+        clientId,
+        codeVerifier,
+        redirectUri,
+        state,
+        tokenUrl,
+    };
+}
+export async function exchangeOauthCode({ tokenUrl, code, redirectUri, clientId, codeVerifier, }) {
+    const { data } = await api.post(tokenUrl, {
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+        client_id: clientId,
+        code_verifier: codeVerifier,
+    }, {
+        headers: {
+            [AUTH_MODE_HEADER]: "no",
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+    });
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresIn: data.expires_in,
+    };
+}

package/dist/src/utils/non-interactive.d.ts

@@ -2,12 +2,13 @@
  * Resolve whether a CLI invocation should run non-interactively.
  *
  * A command is non-interactive when the user explicitly opts out via
- * `--non-interactive` / `--skip-prompts`, OR when stdin or stdout isn't a
- * TTY (CI, piped output, etc.). The TTY check matters because prompting
- * against a non-TTY stream hangs or crashes — every plugin that gates
- * inquirer prompts on this flag needs the same answer.
+ * `--non-interactive`, OR when stdin or stdout isn't a TTY (CI, piped output,
+ * etc.). The TTY check matters because prompting against a non-TTY stream
+ * hangs or crashes — every plugin that gates inquirer prompts on this flag
+ * needs the same answer.
  */
 export declare function resolveNonInteractive(options: {
     nonInteractive?: boolean;
+    /** @deprecated Use `nonInteractive` instead. */
     skipPrompts?: boolean;
 }): boolean;

package/dist/src/utils/non-interactive.js

@@ -2,13 +2,14 @@
  * Resolve whether a CLI invocation should run non-interactively.
  *
  * A command is non-interactive when the user explicitly opts out via
- * `--non-interactive` / `--skip-prompts`, OR when stdin or stdout isn't a
- * TTY (CI, piped output, etc.). The TTY check matters because prompting
- * against a non-TTY stream hangs or crashes — every plugin that gates
- * inquirer prompts on this flag needs the same answer.
+ * `--non-interactive`, OR when stdin or stdout isn't a TTY (CI, piped output,
+ * etc.). The TTY check matters because prompting against a non-TTY stream
+ * hangs or crashes — every plugin that gates inquirer prompts on this flag
+ * needs the same answer.
  */
 export function resolveNonInteractive(options) {
-    return ((options.nonInteractive ?? options.skipPrompts) === true ||
+    return (options.nonInteractive === true ||
+        options.skipPrompts === true ||
         !process.stdin.isTTY ||
         !process.stdout.isTTY);
 }