@zapier/zapier-sdk 0.18.3 → 1.0.0

package/dist/credentials.js

@@ -0,0 +1,174 @@
+/**
+ * Credentials Resolution
+ *
+ * This module provides the core logic for resolving credentials from various sources:
+ * - Explicit credentials option
+ * - Deprecated token option
+ * - Environment variables (new and deprecated)
+ * - CLI login stored tokens
+ */
+import { isCredentialsFunction, isCredentialsObject, } from "./types/credentials";
+import { logDeprecation } from "./utils/logging";
+import { getZapierBaseUrl } from "./utils/url-utils";
+import { ZAPIER_CREDENTIALS, ZAPIER_CREDENTIALS_CLIENT_ID, ZAPIER_CREDENTIALS_CLIENT_SECRET, ZAPIER_CREDENTIALS_BASE_URL, ZAPIER_CREDENTIALS_SCOPE, ZAPIER_TOKEN, ZAPIER_AUTH_BASE_URL, ZAPIER_AUTH_CLIENT_ID, } from "./constants";
+/**
+ * Derive the auth base URL from the SDK base URL.
+ * Returns the Zapier root domain (e.g., https://zapier.com from https://api.zapier.com).
+ */
+function deriveAuthBaseUrl(sdkBaseUrl) {
+    if (!sdkBaseUrl)
+        return undefined;
+    return getZapierBaseUrl(sdkBaseUrl);
+}
+/**
+ * Normalize a credentials object by ensuring it has a type and resolved baseUrl.
+ */
+function normalizeCredentialsObject(obj, sdkBaseUrl) {
+    // Resolve baseUrl: use credentials baseUrl, or derive from SDK baseUrl
+    const resolvedBaseUrl = obj.baseUrl || deriveAuthBaseUrl(sdkBaseUrl);
+    // Explicitly construct the correct typed object to satisfy TypeScript
+    if (obj.type === "client_credentials" ||
+        ("clientSecret" in obj && obj.clientSecret)) {
+        return {
+            type: "client_credentials",
+            clientId: obj.clientId,
+            clientSecret: obj.clientSecret,
+            baseUrl: resolvedBaseUrl,
+            scope: obj.scope,
+        };
+    }
+    return {
+        type: "pkce",
+        clientId: obj.clientId,
+        baseUrl: resolvedBaseUrl,
+        scope: obj.scope,
+    };
+}
+/**
+ * Resolve credentials from environment variables.
+ *
+ * Precedence:
+ * 1. ZAPIER_CREDENTIALS (string token)
+ * 2. ZAPIER_CREDENTIALS_CLIENT_ID + ZAPIER_CREDENTIALS_CLIENT_SECRET (client credentials)
+ * 3. ZAPIER_CREDENTIALS_CLIENT_ID alone (PKCE)
+ * 4. Deprecated ZAPIER_TOKEN, ZAPIER_AUTH_* vars (with warnings)
+ *
+ * @param sdkBaseUrl - SDK base URL used to derive auth base URL if not specified
+ */
+export function resolveCredentialsFromEnv(sdkBaseUrl) {
+    // 1. Check ZAPIER_CREDENTIALS (string token only)
+    if (ZAPIER_CREDENTIALS) {
+        return ZAPIER_CREDENTIALS;
+    }
+    // 2. Check ZAPIER_CREDENTIALS_* individual vars
+    if (ZAPIER_CREDENTIALS_CLIENT_ID) {
+        const resolvedBaseUrl = ZAPIER_CREDENTIALS_BASE_URL || deriveAuthBaseUrl(sdkBaseUrl);
+        // Infer type from presence of clientSecret
+        if (ZAPIER_CREDENTIALS_CLIENT_SECRET) {
+            return {
+                type: "client_credentials",
+                clientId: ZAPIER_CREDENTIALS_CLIENT_ID,
+                clientSecret: ZAPIER_CREDENTIALS_CLIENT_SECRET,
+                baseUrl: resolvedBaseUrl,
+                scope: ZAPIER_CREDENTIALS_SCOPE,
+            };
+        }
+        else {
+            return {
+                type: "pkce",
+                clientId: ZAPIER_CREDENTIALS_CLIENT_ID,
+                baseUrl: resolvedBaseUrl,
+                scope: ZAPIER_CREDENTIALS_SCOPE,
+            };
+        }
+    }
+    // 3. Check deprecated env vars (with warnings)
+    if (ZAPIER_TOKEN) {
+        logDeprecation("ZAPIER_TOKEN is deprecated. Use ZAPIER_CREDENTIALS instead.");
+        return ZAPIER_TOKEN;
+    }
+    if (ZAPIER_AUTH_CLIENT_ID) {
+        logDeprecation("ZAPIER_AUTH_CLIENT_ID is deprecated. Use ZAPIER_CREDENTIALS_CLIENT_ID instead.");
+        if (ZAPIER_AUTH_BASE_URL) {
+            logDeprecation("ZAPIER_AUTH_BASE_URL is deprecated. Use ZAPIER_CREDENTIALS_BASE_URL instead.");
+        }
+        const resolvedBaseUrl = ZAPIER_AUTH_BASE_URL || deriveAuthBaseUrl(sdkBaseUrl);
+        return {
+            type: "pkce",
+            clientId: ZAPIER_AUTH_CLIENT_ID,
+            baseUrl: resolvedBaseUrl,
+        };
+    }
+    return undefined;
+}
+/**
+ * Resolve credentials from all possible sources.
+ *
+ * Precedence:
+ * 1. Explicit credentials option
+ * 2. Deprecated token option (with warning)
+ * 3. Environment variables
+ * 4. CLI login stored token (handled separately in auth.ts)
+ *
+ * If credentials is a function, it is called and must return
+ * a string or credentials object (not another function).
+ *
+ * The baseUrl option is used to derive the auth base URL if not
+ * specified in credentials.
+ */
+export async function resolveCredentials(options = {}) {
+    const { baseUrl } = options;
+    // 1. Check explicit credentials option
+    if (options.credentials !== undefined) {
+        // If it's a function, call it
+        if (isCredentialsFunction(options.credentials)) {
+            const resolved = await options.credentials();
+            // Validate that the function didn't return another function
+            if (typeof resolved === "function") {
+                throw new Error("Credentials function returned another function. " +
+                    "Credentials functions must return a string or credentials object.");
+            }
+            // Normalize object if needed
+            if (isCredentialsObject(resolved)) {
+                return normalizeCredentialsObject(resolved, baseUrl);
+            }
+            return resolved;
+        }
+        // If it's an object, normalize it
+        if (isCredentialsObject(options.credentials)) {
+            return normalizeCredentialsObject(options.credentials, baseUrl);
+        }
+        // It's a string token
+        return options.credentials;
+    }
+    // 2. Check deprecated token option (with warning)
+    if (options.token !== undefined) {
+        logDeprecation("The `token` option is deprecated. Use `credentials` instead.");
+        return options.token;
+    }
+    // 3. Check environment variables
+    const envCredentials = resolveCredentialsFromEnv(baseUrl);
+    if (envCredentials !== undefined) {
+        return envCredentials;
+    }
+    // 4. CLI login is handled separately in auth.ts
+    return undefined;
+}
+/**
+ * Extract the base URL from credentials for use in auth flows.
+ */
+export function getBaseUrlFromCredentials(credentials) {
+    if (credentials && isCredentialsObject(credentials)) {
+        return credentials.baseUrl;
+    }
+    return undefined;
+}
+/**
+ * Extract the client ID from credentials for use in auth flows.
+ */
+export function getClientIdFromCredentials(credentials) {
+    if (credentials && isCredentialsObject(credentials)) {
+        return credentials.clientId;
+    }
+    return undefined;
+}