@zapier/zapier-sdk-cli 0.55.2 → 0.55.3

package/dist/src/login/credentials-store.d.ts

@@ -11,6 +11,28 @@ export type CredentialsEntry = z.infer<typeof CredentialsEntrySchema>;
 export declare function getActiveCredentials(options?: {
     baseUrl?: string;
 }): CredentialsEntry | undefined;
+/**
+ * Pick the first credential name not already present in `taken`. Returns
+ * `baseName` if it is free, otherwise appends an incrementing `-1`, `-2`, …
+ * suffix to the literal base — a base ending in a digit is left intact, so
+ * `acme-1` collides into `acme-1-1`. Storing a credential under a name that
+ * already exists locally silently replaces that entry (and deletes its
+ * keychain secret), so non-interactive login uses this to avoid clobbering a
+ * dormant credential of the same name.
+ */
+export declare function firstAvailableCredentialName({ baseName, taken, }: {
+    baseName: string;
+    taken: ReadonlySet<string>;
+}): string;
+/**
+ * Resolve a locally-unique credential name for the given baseUrl. Local
+ * credentials are keyed by (name, baseUrl), so name collisions — and the
+ * suffixing that avoids them — are scoped per baseUrl.
+ */
+export declare function resolveAvailableCredentialName({ baseName, baseUrl, }: {
+    baseName: string;
+    baseUrl?: string;
+}): string;
 export declare function storeClientCredentials({ name, clientId, clientSecret, scopes, baseUrl, }: {
     name: string;
     clientId: string;

package/dist/src/login/credentials-store.js

@@ -3,6 +3,7 @@ import { getPassword, setPassword, deletePassword } from "cross-keychain";
 import { z } from "zod";
 import { DEFAULT_AUTH_BASE_URL, getConfig } from "./config";
 import { enqueue, getBackendInfo } from "./keychain";
+import { ZapierCliValidationError } from "../utils/errors";
 const SERVICE = "zapier-sdk-cli";
 const CREDENTIALS_KEY = "credentials";
 const REGISTRY_KEY = "credentialsRegistry";
@@ -41,6 +42,38 @@ export function getActiveCredentials(options) {
         return undefined;
     return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
 }
+const MAX_CREDENTIAL_NAME_ATTEMPTS = 500;
+/**
+ * Pick the first credential name not already present in `taken`. Returns
+ * `baseName` if it is free, otherwise appends an incrementing `-1`, `-2`, …
+ * suffix to the literal base — a base ending in a digit is left intact, so
+ * `acme-1` collides into `acme-1-1`. Storing a credential under a name that
+ * already exists locally silently replaces that entry (and deletes its
+ * keychain secret), so non-interactive login uses this to avoid clobbering a
+ * dormant credential of the same name.
+ */
+export function firstAvailableCredentialName({ baseName, taken, }) {
+    if (!taken.has(baseName))
+        return baseName;
+    for (let i = 1; i <= MAX_CREDENTIAL_NAME_ATTEMPTS; i++) {
+        const candidate = `${baseName}-${i}`;
+        if (!taken.has(candidate))
+            return candidate;
+    }
+    throw new ZapierCliValidationError(`Could not find an available credential name for "${baseName}" after ${MAX_CREDENTIAL_NAME_ATTEMPTS} attempts.`);
+}
+/**
+ * Resolve a locally-unique credential name for the given baseUrl. Local
+ * credentials are keyed by (name, baseUrl), so name collisions — and the
+ * suffixing that avoids them — are scoped per baseUrl.
+ */
+export function resolveAvailableCredentialName({ baseName, baseUrl, }) {
+    const resolvedBaseUrl = normalizeBaseUrl(baseUrl);
+    const taken = new Set(readRegistry()
+        .filter((e) => e.baseUrl === resolvedBaseUrl)
+        .map((e) => e.name));
+    return firstAvailableCredentialName({ baseName, taken });
+}
 export async function storeClientCredentials({ name, clientId, clientSecret, scopes, baseUrl, }) {
     if (!name || typeof name !== "string") {
         throw new Error("storeClientCredentials: name is required");

package/dist/src/utils/auth/account-auth.js

@@ -2,7 +2,7 @@ import { hostname } from "node:os";
 import inquirer from "inquirer";
 import { buildApplicationLifecycleEvent, getOrCreateApiClient, isCredentialsObject, } from "@zapier/zapier-sdk";
 import { revokeCredentials } from "../../login/credentials-revoke";
-import { deleteStoredClientCredentials, getActiveCredentials, } from "../../login/credentials-store";
+import { deleteStoredClientCredentials, getActiveCredentials, resolveAvailableCredentialName, } from "../../login/credentials-store";
 import { clearLegacyJwtState, hasLegacyJwtConfig, } from "../../login/legacy-jwt";
 import { resolveCredentialsBaseUrl } from "../../plugins/auth/credentials-base-url";
 import { resolveNonInteractive } from "../non-interactive";
@@ -242,13 +242,18 @@ export async function runAccountAuth({ sdk, options, entryPoint, }) {
     const profile = await getProfile(scopedApi);
     console.log(getProfileMessage(entryPoint, profile.email));
     console.log("\nGenerating credentials so this machine can make authenticated requests on your behalf.");
-    const resolveCredentialsName = interactive
-        ? ({ email }) => promptCredentialsName({
-            email,
+    const baseName = interactive
+        ? await promptCredentialsName({
+            email: profile.email,
             promptMessage: getCredentialsPromptMessage(entryPoint),
         })
-        : resolveDefaultCredentialsName;
-    const credentialName = await resolveCredentialsName({ email: profile.email });
+        : resolveDefaultCredentialsName({ email: profile.email });
+    // Non-interactive login can't prompt for a new name, so a default name that
+    // already exists locally would silently overwrite that credential. Suffix it
+    // instead. Interactive callers chose the name themselves, so leave it as-is.
+    const credentialName = interactive
+        ? baseName
+        : resolveAvailableCredentialName({ baseName, baseUrl: credentialsBaseUrl });
     const useApprovals = options.useApprovals === true;
     await saveClientCredentials({
         api: scopedApi,