@zapier/zapier-sdk-cli 0.52.12 → 0.53.1

package/dist/src/utils/auth/account-auth.js

@@ -0,0 +1,265 @@
+import { hostname } from "node:os";
+import inquirer from "inquirer";
+import { buildApplicationLifecycleEvent, getOrCreateApiClient, isCredentialsObject, } from "@zapier/zapier-sdk";
+import { revokeCredentials } from "../../login/credentials-revoke";
+import { deleteStoredClientCredentials, getActiveCredentials, } from "../../login/credentials-store";
+import { clearLegacyJwtState, hasLegacyJwtConfig, } from "../../login/legacy-jwt";
+import { resolveCredentialsBaseUrl } from "../../plugins/auth/credentials-base-url";
+import { resolveNonInteractive } from "../non-interactive";
+import { ZapierCliUserCancellationError, ZapierCliValidationError, } from "../errors";
+import { EMPTY_POLICY, setupClientCredentials } from "./client-credentials";
+import { runLoginOauthFlow, runSignupOauthFlow, } from "./oauth-flow";
+import { toRedactedOauthError } from "./oauth-errors";
+const LEGACY_JWT_UPGRADE_PROMPT = "We're upgrading your login to client credentials for a simpler, more reliable experience and to support future security controls. Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. Continue?";
+const SIGNUP_RECOVERY_MESSAGE = "Restart `zapier-sdk signup` to generate a fresh signup URL and try again.";
+const HEADLESS_SIGNUP_RECOVERY_MESSAGE = "Restart `zapier-sdk signup --headless` to generate a fresh signup URL and try again.";
+function getEntryPointLabel(entryPoint) {
+    return entryPoint === "signup" ? "Signup" : "Login";
+}
+function getActiveCredentialsAction(entryPoint) {
+    return entryPoint === "signup" ? "continue signup" : "log in again";
+}
+function getCredentialsPromptMessage(entryPoint) {
+    return entryPoint === "signup"
+        ? "Enter a name to identify these credentials:"
+        : "Enter a name to identify them:";
+}
+function getProfileMessage(entryPoint, email) {
+    return entryPoint === "signup"
+        ? `👤 Authenticated as ${email}`
+        : `👤 Logged in as ${email}`;
+}
+function defaultCredentialsName(email) {
+    return `${email}@${hostname()}`;
+}
+function validateCredentialsName(name) {
+    const trimmedName = name.trim();
+    if (!trimmedName)
+        throw new ZapierCliValidationError("Name cannot be empty");
+    return trimmedName;
+}
+async function promptCredentialsName({ email, promptMessage, }) {
+    const { credentialName } = await inquirer.prompt([
+        {
+            type: "input",
+            name: "credentialName",
+            message: promptMessage,
+            default: defaultCredentialsName(email),
+            validate: (input) => {
+                try {
+                    validateCredentialsName(input);
+                    return true;
+                }
+                catch (err) {
+                    return err instanceof Error ? err.message : String(err);
+                }
+            },
+        },
+    ]);
+    return validateCredentialsName(credentialName);
+}
+function resolveDefaultCredentialsName({ email, }) {
+    return validateCredentialsName(defaultCredentialsName(email));
+}
+function toPkceCredentials(credentials) {
+    if (credentials &&
+        isCredentialsObject(credentials) &&
+        !("clientSecret" in credentials)) {
+        return {
+            type: "pkce",
+            clientId: credentials.clientId,
+            baseUrl: credentials.baseUrl,
+            scope: credentials.scope,
+        };
+    }
+    return undefined;
+}
+function parseTimeoutSeconds(timeout) {
+    if (timeout === undefined)
+        return 300;
+    const timeoutSeconds = Number(timeout);
+    if (!Number.isInteger(timeoutSeconds) || timeoutSeconds <= 0) {
+        throw new ZapierCliValidationError("Timeout must be a positive integer (seconds).");
+    }
+    return timeoutSeconds;
+}
+async function promptConfirm({ message, defaultValue, }) {
+    const { confirmed } = await inquirer.prompt([
+        { type: "confirm", name: "confirmed", message, default: defaultValue },
+    ]);
+    return confirmed;
+}
+function promptlessCredentialResetError(credentials) {
+    throw new ZapierCliValidationError(`Already logged in as "${credentials.name}". Run \`logout\` first or use an interactive terminal to re-authenticate.`);
+}
+function promptlessLegacyJwtUpgradeError() {
+    throw new ZapierCliValidationError("Legacy JWT login detected. Run `logout` first or use an interactive terminal to migrate to client credentials.");
+}
+async function clearExistingAuthState({ sdk, baseUrl, interactive, entryPoint, }) {
+    const activeCredentials = getActiveCredentials({ baseUrl });
+    const flowLabel = getEntryPointLabel(entryPoint);
+    if (activeCredentials) {
+        const confirmed = interactive
+            ? await promptConfirm({
+                defaultValue: false,
+                message: `You are already logged in as "${activeCredentials.name}".\n` +
+                    "Logging out will delete these credentials and may interrupt other Zapier SDK or CLI sessions using them.\n" +
+                    `Log out and ${getActiveCredentialsAction(entryPoint)}?`,
+            })
+            : promptlessCredentialResetError(activeCredentials);
+        if (!confirmed) {
+            console.log(`${flowLabel} cancelled.`);
+            return false;
+        }
+        try {
+            await revokeCredentials({
+                api: sdk.context.api,
+                credentials: activeCredentials,
+            });
+        }
+        catch {
+            if (!interactive) {
+                throw new ZapierCliValidationError(`${flowLabel} cleanup failed and cannot be reset without confirmation. Re-run with an interactive terminal.`);
+            }
+            const reset = await promptConfirm({
+                defaultValue: false,
+                message: `${flowLabel} cleanup failed. Reset local session state and continue?`,
+            });
+            if (!reset) {
+                console.log(`${flowLabel} cancelled.`);
+                return false;
+            }
+            await deleteStoredClientCredentials({
+                name: activeCredentials.name,
+                baseUrl: activeCredentials.baseUrl,
+            });
+        }
+    }
+    else if (hasLegacyJwtConfig()) {
+        const confirmed = interactive
+            ? await promptConfirm({
+                defaultValue: true,
+                message: LEGACY_JWT_UPGRADE_PROMPT,
+            })
+            : promptlessLegacyJwtUpgradeError();
+        if (!confirmed) {
+            console.log(`${flowLabel} cancelled.`);
+            return false;
+        }
+    }
+    return true;
+}
+async function getProfile(api) {
+    return api.get("/zapier/api/v4/profile/", {
+        authRequired: true,
+    });
+}
+async function saveClientCredentials({ api, name, credentialsBaseUrl, useApprovals, cleanupLogPrefix, }) {
+    await setupClientCredentials({
+        api,
+        name,
+        credentialsBaseUrl,
+        ...(useApprovals && { policy: EMPTY_POLICY }),
+    });
+    try {
+        await clearLegacyJwtState();
+    }
+    catch (err) {
+        console.error(`[${cleanupLogPrefix}] Best-effort legacy JWT cleanup failed:`, err);
+    }
+}
+function emitAccountAuthSuccess({ sdk, profile, }) {
+    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({ lifecycle_event_type: "login_success" }, {
+        customuser_id: profile.user_id,
+        account_id: profile.roles[0]?.account_id ?? null,
+    }));
+}
+function emitSignupSuccess({ sdk, }) {
+    // `signup_success` tracks a valid signup OAuth callback being accepted.
+    // It does not mean a new Zapier account was created or local credentials were provisioned.
+    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({ lifecycle_event_type: "signup_success" }));
+}
+async function runOauthWithRedaction(runOauth) {
+    try {
+        return await runOauth();
+    }
+    catch (error) {
+        if (error instanceof ZapierCliUserCancellationError)
+            throw error;
+        throw toRedactedOauthError(error);
+    }
+}
+async function runOauthForEntryPoint({ sdk, entryPoint, timeoutMs, pkceCredentials, baseUrl, headless, interactive, }) {
+    if (entryPoint === "signup") {
+        return runOauthWithRedaction(() => runSignupOauthFlow({
+            timeoutMs,
+            pkceCredentials,
+            baseUrl,
+            headless,
+            interactive,
+            recoveryMessage: headless
+                ? HEADLESS_SIGNUP_RECOVERY_MESSAGE
+                : SIGNUP_RECOVERY_MESSAGE,
+            onProgress: (event) => {
+                if (event.type === "callback_accepted") {
+                    emitSignupSuccess({ sdk });
+                }
+            },
+        }));
+    }
+    return runOauthWithRedaction(() => runLoginOauthFlow({ timeoutMs, pkceCredentials, baseUrl }));
+}
+export async function runAccountAuth({ sdk, options, entryPoint, }) {
+    const timeoutSeconds = parseTimeoutSeconds(options.timeout);
+    const interactive = !resolveNonInteractive(options);
+    const resolvedCredentials = await sdk.context.resolveCredentials();
+    const pkceCredentials = toPkceCredentials(resolvedCredentials);
+    const credentialsBaseUrl = await resolveCredentialsBaseUrl({
+        ...sdk.context,
+        resolvedCredentials,
+    });
+    if (!(await clearExistingAuthState({
+        sdk,
+        baseUrl: credentialsBaseUrl,
+        interactive,
+        entryPoint,
+    }))) {
+        return;
+    }
+    const { accessToken } = await runOauthForEntryPoint({
+        sdk,
+        entryPoint,
+        timeoutMs: timeoutSeconds * 1000,
+        pkceCredentials,
+        baseUrl: credentialsBaseUrl,
+        headless: options.headless === true,
+        interactive,
+    });
+    const scopedApi = getOrCreateApiClient({
+        credentials: accessToken,
+        baseUrl: credentialsBaseUrl,
+    });
+    const profile = await getProfile(scopedApi);
+    console.log(getProfileMessage(entryPoint, profile.email));
+    console.log("\nGenerating credentials so this machine can make authenticated requests on your behalf.");
+    const resolveCredentialsName = interactive
+        ? ({ email }) => promptCredentialsName({
+            email,
+            promptMessage: getCredentialsPromptMessage(entryPoint),
+        })
+        : resolveDefaultCredentialsName;
+    const credentialName = await resolveCredentialsName({ email: profile.email });
+    const useApprovals = options.useApprovals === true;
+    await saveClientCredentials({
+        api: scopedApi,
+        name: credentialName,
+        credentialsBaseUrl,
+        useApprovals,
+        cleanupLogPrefix: entryPoint,
+    });
+    console.log(`✅ Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`);
+    if (useApprovals) {
+        console.log("🔐 Approvals are enabled for these credentials.");
+    }
+    emitAccountAuthSuccess({ sdk, profile });
+}

package/dist/src/utils/auth/oauth-callback.d.ts

@@ -0,0 +1,6 @@
+import type { OauthTransaction } from "./oauth-transaction";
+export declare function getCallbackCode({ callbackUrl, transaction, recoveryMessage, }: {
+    callbackUrl: string;
+    transaction: Pick<OauthTransaction, "redirectUri" | "state">;
+    recoveryMessage?: string;
+}): string;

package/dist/src/utils/auth/oauth-callback.js

@@ -0,0 +1,28 @@
+import { ZapierCliValidationError } from "../errors";
+export function getCallbackCode({ callbackUrl, transaction, recoveryMessage, }) {
+    let parsed;
+    try {
+        parsed = new URL(callbackUrl.trim());
+    }
+    catch {
+        throw new ZapierCliValidationError("Paste the final OAuth callback URL from your browser.");
+    }
+    const expected = new URL(transaction.redirectUri);
+    if (parsed.protocol !== "http:" ||
+        parsed.hostname !== expected.hostname ||
+        parsed.pathname !== expected.pathname ||
+        parsed.port !== expected.port) {
+        throw new ZapierCliValidationError(`Expected the final OAuth callback URL to start with ${transaction.redirectUri}.`);
+    }
+    if (parsed.searchParams.get("state") !== transaction.state) {
+        throw new ZapierCliValidationError(`OAuth state mismatch.${recoveryMessage ? ` ${recoveryMessage}` : ""}`);
+    }
+    if (parsed.searchParams.has("error")) {
+        throw new ZapierCliValidationError(`Authorization denied: ${parsed.searchParams.get("error_description") ?? parsed.searchParams.get("error")}.${recoveryMessage ? ` ${recoveryMessage}` : ""}`);
+    }
+    const code = parsed.searchParams.get("code");
+    if (!code) {
+        throw new ZapierCliValidationError("No authorization code found in the pasted callback URL.");
+    }
+    return code;
+}

package/dist/src/utils/auth/oauth-errors.d.ts

@@ -0,0 +1,2 @@
+export declare function redactSensitiveOauthErrorMessage(message: string): string;
+export declare function toRedactedOauthError(error: unknown): Error;

package/dist/src/utils/auth/oauth-errors.js

@@ -0,0 +1,39 @@
+import { ZapierCliValidationError } from "../errors";
+const SENSITIVE_OAUTH_FIELDS = [
+    "access_token",
+    "refresh_token",
+    "id_token",
+    "client_secret",
+    "code_verifier",
+    "code_challenge",
+];
+function getErrorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+function toCamelCase(field) {
+    return field.replace(/_([a-z])/g, (_match, letter) => letter.toUpperCase());
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+const sensitiveOauthFieldPattern = Array.from(new Set(SENSITIVE_OAUTH_FIELDS.flatMap((field) => [field, toCamelCase(field)])))
+    .map(escapeRegExp)
+    .join("|");
+const sensitiveQueryParamPattern = new RegExp(`([?&])(${sensitiveOauthFieldPattern})(=)[^&#\\s"'<>]*`, "gi");
+export function redactSensitiveOauthErrorMessage(message) {
+    return message
+        .replace(sensitiveQueryParamPattern, (_match, prefix, key, separator) => `${prefix}${key}${separator}[REDACTED]`)
+        .replace(new RegExp(`"(${sensitiveOauthFieldPattern})"(\\s*:\\s*)"[^"]*"`, "g"), (_match, key, separator) => `"${key}"${separator}"[REDACTED]"`);
+}
+export function toRedactedOauthError(error) {
+    const message = redactSensitiveOauthErrorMessage(getErrorMessage(error));
+    if (error instanceof ZapierCliValidationError) {
+        return new ZapierCliValidationError(message);
+    }
+    if (error instanceof Error) {
+        const redactedError = new Error(message);
+        redactedError.name = error.name;
+        return redactedError;
+    }
+    return new ZapierCliValidationError(message);
+}

package/dist/src/utils/auth/oauth-flow.d.ts

@@ -1,12 +1,37 @@
 import { type PkceCredentials } from "../../login";
-export interface OauthTokens {
-    accessToken: string;
-    refreshToken: string;
-    expiresIn: number;
-}
+import { buildBrowserAuthUrl, OAUTH_LOOPBACK_HOST, type OauthTokens } from "./oauth-transaction";
+export { buildBrowserAuthUrl, OAUTH_LOOPBACK_HOST };
+export type { OauthFlowEntryPoint, OauthTokens } from "./oauth-transaction";
+export type OauthFlowProgressEvent = {
+    type: "browser_opening";
+    url: string;
+} | {
+    type: "browser_opened";
+    url: string;
+} | {
+    type: "browser_open_failed";
+    url: string;
+    reason: string;
+} | {
+    type: "callback_waiting";
+} | {
+    type: "callback_accepted";
+} | {
+    type: "token_exchange_started";
+} | {
+    type: "token_exchange_completed";
+};
 export interface RunOauthFlowOptions {
     timeoutMs?: number;
     pkceCredentials?: PkceCredentials;
     baseUrl?: string;
+    silent?: boolean;
+    onProgress?: (event: OauthFlowProgressEvent) => void;
+    recoveryMessage?: string;
+}
+interface RunSignupOauthFlowOptions extends RunOauthFlowOptions {
+    headless?: boolean;
+    interactive?: boolean;
 }
-export declare function runOauthFlow({ timeoutMs, pkceCredentials, baseUrl, }: RunOauthFlowOptions): Promise<OauthTokens>;
+export declare function runLoginOauthFlow(options: RunOauthFlowOptions): Promise<OauthTokens>;
+export declare function runSignupOauthFlow(options: RunSignupOauthFlowOptions): Promise<OauthTokens>;