@zapier/zapier-sdk 0.18.4 → 1.0.0

package/dist/auth.js

@@ -2,15 +2,129 @@
  * SDK Authentication Utilities
  *
  * This module provides SDK-level authentication utilities focused
- * solely on token acquisition. CLI-specific functionality like login/logout
- * is handled by the @zapier/zapier-sdk-cli-login package.
+ * on token acquisition. It uses the credentials system for resolution
+ * and handles different credential types appropriately.
+ *
+ * CLI-specific functionality like login/logout is handled by the
+ * @zapier/zapier-sdk-cli-login package.
+ */
+import { isClientCredentials, isPkceCredentials } from "./types/credentials";
+import { resolveCredentials, getClientIdFromCredentials } from "./credentials";
+import { ZAPIER_BASE_URL } from "./constants";
+export { isClientCredentials, isPkceCredentials, isCredentialsObject, isCredentialsFunction, } from "./types/credentials";
+/**
+ * In-memory cache for tokens obtained via client credentials flow.
+ * Keyed by clientId.
+ */
+const tokenCache = new Map();
+/**
+ * In-flight token exchange promises to prevent duplicate exchanges.
+ * When an exchange is in progress, subsequent calls await the same promise.
+ */
+const pendingExchanges = new Map();
+/**
+ * Clear the token cache. Useful for testing or forcing re-authentication.
+ */
+export function clearTokenCache() {
+    tokenCache.clear();
+    pendingExchanges.clear();
+}
+const TOKEN_EXPIRATION_BUFFER = 5 * 60 * 1000; // 5 minutes
+/**
+ * Get a cached token if it exists and is not expired.
+ * Returns undefined if no valid cached token exists.
  */
+function getCachedToken(clientId) {
+    const cached = tokenCache.get(clientId);
+    if (!cached)
+        return undefined;
+    // Check if token is still valid (with expiration buffer)
+    if (cached.expiresAt > Date.now() + TOKEN_EXPIRATION_BUFFER) {
+        return cached.accessToken;
+    }
+    // Token expired, remove from cache
+    tokenCache.delete(clientId);
+    return undefined;
+}
+/**
+ * Cache a token obtained from client credentials flow.
+ */
+function cacheToken(clientId, accessToken, expiresIn) {
+    tokenCache.set(clientId, {
+        accessToken,
+        expiresAt: Date.now() + expiresIn * 1000,
+    });
+}
+/**
+ * Invalidate a cached token. Called when we get a 401 response.
+ */
+export function invalidateCachedToken(clientId) {
+    tokenCache.delete(clientId);
+}
 /**
- * Gets the ZAPIER_TOKEN from environment variables.
- * Returns undefined if not set.
+ * Get the token endpoint URL for client credentials exchange.
  */
-export function getTokenFromEnv() {
-    return process.env.ZAPIER_TOKEN;
+function getTokenEndpointUrl(baseUrl) {
+    const base = baseUrl || ZAPIER_BASE_URL;
+    return `${base}/oauth/token/`;
+}
+/**
+ * Exchange client credentials for an access token.
+ */
+async function exchangeClientCredentials(options) {
+    const { clientId, clientSecret, baseUrl, scope, onEvent } = options;
+    const fetchFn = options.fetch || globalThis.fetch;
+    const tokenUrl = getTokenEndpointUrl(baseUrl);
+    onEvent?.({
+        type: "auth_exchanging",
+        payload: {
+            message: "Exchanging client credentials for token...",
+            operation: "client_credentials",
+        },
+        timestamp: Date.now(),
+    });
+    const response = await fetchFn(tokenUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: new URLSearchParams({
+            grant_type: "client_credentials",
+            client_id: clientId,
+            client_secret: clientSecret,
+            scope: scope || "external",
+            audience: "zapier.com",
+        }),
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        onEvent?.({
+            type: "auth_error",
+            payload: {
+                message: `Client credentials exchange failed: ${response.status}`,
+                error: errorText,
+                operation: "client_credentials",
+            },
+            timestamp: Date.now(),
+        });
+        throw new Error(`Client credentials exchange failed: ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    if (!data.access_token) {
+        throw new Error("Client credentials response missing access_token");
+    }
+    // Cache the token
+    const expiresIn = data.expires_in || 3600; // Default to 1 hour
+    cacheToken(clientId, data.access_token, expiresIn);
+    onEvent?.({
+        type: "auth_success",
+        payload: {
+            message: "Client credentials exchange successful",
+            operation: "client_credentials",
+        },
+        timestamp: Date.now(),
+    });
+    return data.access_token;
 }
 /**
  * Attempts to get a token by optionally importing from CLI login package.
@@ -18,11 +132,13 @@ export function getTokenFromEnv() {
  *
  * Returns undefined if no valid token is found or CLI package is not available.
  */
-export async function getTokenFromCliLogin(options = {}) {
+export async function getTokenFromCliLogin(options) {
     try {
-        // Dynamically import the CLI login package if available
-        const { getToken } = await import("@zapier/zapier-sdk-cli-login");
-        return await getToken(options);
+        // Dynamically import the CLI login package if available.
+        // This is intentionally an async import because this module is a dependency
+        // of the CLI and is only available when the CLI is installed!
+        const cliLogin = await import("@zapier/zapier-sdk-cli-login");
+        return await cliLogin.getToken(options);
     }
     catch {
         // CLI login package is not available, return undefined
@@ -30,43 +146,99 @@ export async function getTokenFromCliLogin(options = {}) {
     }
 }
 /**
- * Attempts to get a token with the following precedence:
- * 1. ZAPIER_TOKEN environment variable
- * 2. CLI login package (if available) with auto-refresh
+ * Resolves an auth token from wherever it can be found.
+ *
+ * Resolution order:
+ * 1. Explicit credentials option (or deprecated token option)
+ * 2. Environment variables
+ * 3. CLI login package (if available)
+ *
+ * For different credential types:
+ * - String: Used directly as the token
+ * - Client credentials: Exchanged for an access token (with caching)
+ * - PKCE: Delegates to CLI login (throws if not available)
  *
  * Returns undefined if no valid token is found.
  */
-export async function getTokenFromEnvOrConfig(options = {}) {
-    // First priority: environment variable
-    const envToken = getTokenFromEnv();
-    if (envToken) {
-        return envToken;
+export async function resolveAuthToken(options = {}) {
+    // Resolve credentials from options and env vars
+    const credentials = await resolveCredentials({
+        credentials: options.credentials,
+        token: options.token,
+    });
+    // If we got credentials, process them based on type
+    if (credentials !== undefined) {
+        return resolveAuthTokenFromCredentials(credentials, options);
     }
-    // Second priority: CLI login package (if available)
-    return getTokenFromCliLogin(options);
+    // No credentials from options or env, try CLI login for stored token
+    return getTokenFromCliLogin({
+        onEvent: options.onEvent,
+        fetch: options.fetch,
+    });
 }
 /**
- * Resolves an auth token from all possible sources with the following precedence:
- * 1. Explicitly provided token in options
- * 2. Token from getToken callback in options
- * 3. ZAPIER_TOKEN environment variable
- * 4. CLI login package (if available)
- *
- * This is the canonical token resolution logic used throughout the SDK.
- * Returns undefined if no valid token is found.
+ * Resolve an auth token from resolved credentials.
  */
-export async function resolveAuthToken(options = {}) {
-    // First priority: explicitly provided token
-    if (options.token) {
-        return options.token;
+async function resolveAuthTokenFromCredentials(credentials, options) {
+    // String credentials are used directly as tokens
+    if (typeof credentials === "string") {
+        return credentials;
+    }
+    // Client credentials: exchange for token
+    if (isClientCredentials(credentials)) {
+        const { clientId } = credentials;
+        // Check cache first
+        const cached = getCachedToken(clientId);
+        if (cached) {
+            return cached;
+        }
+        // Check if there's already an exchange in progress for this clientId
+        const pending = pendingExchanges.get(clientId);
+        if (pending) {
+            return pending;
+        }
+        // Start new exchange and cache the promise to prevent duplicate exchanges
+        const exchangePromise = exchangeClientCredentials({
+            clientId: credentials.clientId,
+            clientSecret: credentials.clientSecret,
+            baseUrl: credentials.baseUrl || options.baseUrl,
+            scope: credentials.scope,
+            fetch: options.fetch,
+            onEvent: options.onEvent,
+        }).finally(() => {
+            // Remove from pending when done (success or failure)
+            pendingExchanges.delete(clientId);
+        });
+        pendingExchanges.set(clientId, exchangePromise);
+        return exchangePromise;
     }
-    // Second priority: getToken callback
-    if (options.getToken) {
-        const token = await options.getToken();
-        if (token) {
-            return token;
+    // PKCE credentials: delegate to CLI login
+    if (isPkceCredentials(credentials)) {
+        // Try to get stored token from CLI login
+        const storedToken = await getTokenFromCliLogin({
+            onEvent: options.onEvent,
+            fetch: options.fetch,
+            credentials,
+        });
+        if (storedToken) {
+            return storedToken;
         }
+        // No stored token - user needs to run login
+        throw new Error("PKCE credentials require interactive login. " +
+            "Please run the 'login' command with the CLI first, or use client_credentials flow.");
+    }
+    // Should not reach here, but handle gracefully
+    throw new Error("Unknown credentials type");
+}
+/**
+ * Invalidate the cached token for the given credentials, if applicable.
+ * This is called when we receive a 401 response, indicating the token
+ * is no longer valid. Only affects client_credentials flow tokens.
+ */
+export async function invalidateCredentialsToken(options) {
+    const resolved = await resolveCredentials(options);
+    const clientId = getClientIdFromCredentials(resolved);
+    if (clientId) {
+        invalidateCachedToken(clientId);
     }
-    // Third and fourth priorities: environment variable or CLI login
-    return getTokenFromEnvOrConfig(options);
 }