@zapier/zapier-sdk 0.47.0 → 0.47.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/dist/api/client.d.ts.map +1 -1
- package/dist/api/client.js +10 -3
- package/dist/index.cjs +20 -3
- package/dist/index.mjs +20 -3
- package/dist/utils/url-utils.d.ts +6 -0
- package/dist/utils/url-utils.d.ts.map +1 -1
- package/dist/utils/url-utils.js +17 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# @zapier/zapier-sdk
|
|
2
2
|
|
|
3
|
+
## 0.47.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 4ab820a: Skip the approval `poll_url` and `approval_url` origin checks when `baseUrl` (or `ZAPIER_BASE_URL`) points at `localhost` / `127.0.0.1`. Local dev runs sdkapi, approvalsapi, and the approval frontend on different ports, so the origin pin can never match. The check is intended to stop a compromised sdkapi from redirecting bearer-token traffic to an attacker host — a threat that doesn't apply when the developer owns every service on the machine.
|
|
8
|
+
|
|
3
9
|
## 0.47.0
|
|
4
10
|
|
|
5
11
|
### Minor Changes
|
package/dist/api/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAGjB,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAGjB,MAAM,SAAS,CAAC;AAgjCjB,eAAO,MAAM,eAAe,GAAI,SAAS,gBAAgB,KAAG,SAW3D,CAAC"}
|
package/dist/api/client.js
CHANGED
|
@@ -8,7 +8,7 @@ import { getAuthorizationHeader } from "./auth";
|
|
|
8
8
|
import { createDebugLogger, createDebugFetch } from "./debug";
|
|
9
9
|
import { pollUntilComplete } from "./polling";
|
|
10
10
|
import { resolveAuthToken, invalidateCredentialsToken, isCliLoginAvailable, } from "../auth";
|
|
11
|
-
import { getZapierBaseUrl } from "../utils/url-utils";
|
|
11
|
+
import { getZapierBaseUrl, isLocalhostBaseUrl } from "../utils/url-utils";
|
|
12
12
|
import { sleep, calculateExponentialBackoffMs } from "../utils/retry-utils";
|
|
13
13
|
import { isPlainObject } from "../utils/type-guard-utils";
|
|
14
14
|
import { ZapierApiError, ZapierApprovalError, ZapierAuthenticationError, ZapierTimeoutError, ZapierValidationError, ZapierResourceNotFoundError, ZapierRateLimitError, } from "../types/errors";
|
|
@@ -711,8 +711,15 @@ class ZapierApiClient {
|
|
|
711
711
|
throw new ZapierApiError(`Approval ${label} origin ${parsed.origin} does not match expected ${expectedOrigin}`, { statusCode: approvalResponse.status, response: body });
|
|
712
712
|
}
|
|
713
713
|
};
|
|
714
|
-
|
|
715
|
-
|
|
714
|
+
// In local dev the SDK API, approvalsapi, and approval frontend run on
|
|
715
|
+
// different localhost ports, so neither origin can match. The check
|
|
716
|
+
// exists to stop a compromised sdkapi from redirecting bearer-token
|
|
717
|
+
// traffic to an attacker host — that threat model doesn't apply when
|
|
718
|
+
// the dev owns every service on the machine.
|
|
719
|
+
if (!isLocalhostBaseUrl(this.options.baseUrl)) {
|
|
720
|
+
assertApprovalOrigin(approval.poll_url, sdkapiOrigin, "poll_url");
|
|
721
|
+
assertApprovalOrigin(approval.approval_url, browserOrigin, "approval_url");
|
|
722
|
+
}
|
|
716
723
|
this.emitEvent("approval:required", {
|
|
717
724
|
approvalId: approval.approval_id,
|
|
718
725
|
approvalUrl: approval.approval_url,
|
package/dist/index.cjs
CHANGED
|
@@ -5207,6 +5207,17 @@ function getZapierBaseUrl(baseUrl) {
|
|
|
5207
5207
|
return void 0;
|
|
5208
5208
|
}
|
|
5209
5209
|
}
|
|
5210
|
+
function isLocalhostBaseUrl(baseUrl) {
|
|
5211
|
+
if (!baseUrl) {
|
|
5212
|
+
return false;
|
|
5213
|
+
}
|
|
5214
|
+
try {
|
|
5215
|
+
const { hostname } = new URL(baseUrl);
|
|
5216
|
+
return hostname === "localhost" || hostname === "127.0.0.1";
|
|
5217
|
+
} catch {
|
|
5218
|
+
return false;
|
|
5219
|
+
}
|
|
5220
|
+
}
|
|
5210
5221
|
function getTrackingBaseUrl({
|
|
5211
5222
|
trackingBaseUrl,
|
|
5212
5223
|
baseUrl
|
|
@@ -5620,7 +5631,7 @@ async function invalidateCredentialsToken(options) {
|
|
|
5620
5631
|
}
|
|
5621
5632
|
|
|
5622
5633
|
// src/sdk-version.ts
|
|
5623
|
-
var SDK_VERSION = (typeof process !== "undefined" && process.env ? "0.47.
|
|
5634
|
+
var SDK_VERSION = (typeof process !== "undefined" && process.env ? "0.47.1" : void 0) || "unknown";
|
|
5624
5635
|
|
|
5625
5636
|
// src/utils/open-url.ts
|
|
5626
5637
|
var nodePrefix = "node:";
|
|
@@ -6286,8 +6297,14 @@ var ZapierApiClient = class {
|
|
|
6286
6297
|
);
|
|
6287
6298
|
}
|
|
6288
6299
|
};
|
|
6289
|
-
|
|
6290
|
-
|
|
6300
|
+
if (!isLocalhostBaseUrl(this.options.baseUrl)) {
|
|
6301
|
+
assertApprovalOrigin(approval.poll_url, sdkapiOrigin, "poll_url");
|
|
6302
|
+
assertApprovalOrigin(
|
|
6303
|
+
approval.approval_url,
|
|
6304
|
+
browserOrigin,
|
|
6305
|
+
"approval_url"
|
|
6306
|
+
);
|
|
6307
|
+
}
|
|
6291
6308
|
this.emitEvent("approval:required", {
|
|
6292
6309
|
approvalId: approval.approval_id,
|
|
6293
6310
|
approvalUrl: approval.approval_url
|
package/dist/index.mjs
CHANGED
|
@@ -5205,6 +5205,17 @@ function getZapierBaseUrl(baseUrl) {
|
|
|
5205
5205
|
return void 0;
|
|
5206
5206
|
}
|
|
5207
5207
|
}
|
|
5208
|
+
function isLocalhostBaseUrl(baseUrl) {
|
|
5209
|
+
if (!baseUrl) {
|
|
5210
|
+
return false;
|
|
5211
|
+
}
|
|
5212
|
+
try {
|
|
5213
|
+
const { hostname } = new URL(baseUrl);
|
|
5214
|
+
return hostname === "localhost" || hostname === "127.0.0.1";
|
|
5215
|
+
} catch {
|
|
5216
|
+
return false;
|
|
5217
|
+
}
|
|
5218
|
+
}
|
|
5208
5219
|
function getTrackingBaseUrl({
|
|
5209
5220
|
trackingBaseUrl,
|
|
5210
5221
|
baseUrl
|
|
@@ -5618,7 +5629,7 @@ async function invalidateCredentialsToken(options) {
|
|
|
5618
5629
|
}
|
|
5619
5630
|
|
|
5620
5631
|
// src/sdk-version.ts
|
|
5621
|
-
var SDK_VERSION = (typeof process !== "undefined" && process.env ? "0.47.
|
|
5632
|
+
var SDK_VERSION = (typeof process !== "undefined" && process.env ? "0.47.1" : void 0) || "unknown";
|
|
5622
5633
|
|
|
5623
5634
|
// src/utils/open-url.ts
|
|
5624
5635
|
var nodePrefix = "node:";
|
|
@@ -6284,8 +6295,14 @@ var ZapierApiClient = class {
|
|
|
6284
6295
|
);
|
|
6285
6296
|
}
|
|
6286
6297
|
};
|
|
6287
|
-
|
|
6288
|
-
|
|
6298
|
+
if (!isLocalhostBaseUrl(this.options.baseUrl)) {
|
|
6299
|
+
assertApprovalOrigin(approval.poll_url, sdkapiOrigin, "poll_url");
|
|
6300
|
+
assertApprovalOrigin(
|
|
6301
|
+
approval.approval_url,
|
|
6302
|
+
browserOrigin,
|
|
6303
|
+
"approval_url"
|
|
6304
|
+
);
|
|
6305
|
+
}
|
|
6289
6306
|
this.emitEvent("approval:required", {
|
|
6290
6307
|
approvalId: approval.approval_id,
|
|
6291
6308
|
approvalUrl: approval.approval_url
|
|
@@ -4,6 +4,12 @@
|
|
|
4
4
|
* This combines domain checking and URL extraction logic.
|
|
5
5
|
*/
|
|
6
6
|
export declare function getZapierBaseUrl(baseUrl?: string): string | undefined;
|
|
7
|
+
/**
|
|
8
|
+
* Returns true if the baseUrl points at a developer's local machine
|
|
9
|
+
* (`localhost` or `127.0.0.1`). Used to relax checks that don't make sense
|
|
10
|
+
* when the SDK API and other services run on different localhost ports.
|
|
11
|
+
*/
|
|
12
|
+
export declare function isLocalhostBaseUrl(baseUrl?: string): boolean;
|
|
7
13
|
/**
|
|
8
14
|
* Gets tracking base URL with the following precedence:
|
|
9
15
|
* 1. Explicit trackingBaseUrl parameter
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"url-utils.d.ts","sourceRoot":"","sources":["../../src/utils/url-utils.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CA+BrE;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,eAAe,EACf,OAAO,GACR,EAAE;IACD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,MAAM,CA0BT"}
|
|
1
|
+
{"version":3,"file":"url-utils.d.ts","sourceRoot":"","sources":["../../src/utils/url-utils.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CA+BrE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAU5D;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,eAAe,EACf,OAAO,GACR,EAAE;IACD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,MAAM,CA0BT"}
|
package/dist/utils/url-utils.js
CHANGED
|
@@ -29,6 +29,23 @@ export function getZapierBaseUrl(baseUrl) {
|
|
|
29
29
|
return undefined;
|
|
30
30
|
}
|
|
31
31
|
}
|
|
32
|
+
/**
|
|
33
|
+
* Returns true if the baseUrl points at a developer's local machine
|
|
34
|
+
* (`localhost` or `127.0.0.1`). Used to relax checks that don't make sense
|
|
35
|
+
* when the SDK API and other services run on different localhost ports.
|
|
36
|
+
*/
|
|
37
|
+
export function isLocalhostBaseUrl(baseUrl) {
|
|
38
|
+
if (!baseUrl) {
|
|
39
|
+
return false;
|
|
40
|
+
}
|
|
41
|
+
try {
|
|
42
|
+
const { hostname } = new URL(baseUrl);
|
|
43
|
+
return hostname === "localhost" || hostname === "127.0.0.1";
|
|
44
|
+
}
|
|
45
|
+
catch {
|
|
46
|
+
return false;
|
|
47
|
+
}
|
|
48
|
+
}
|
|
32
49
|
/**
|
|
33
50
|
* Gets tracking base URL with the following precedence:
|
|
34
51
|
* 1. Explicit trackingBaseUrl parameter
|