@zapier/zapier-sdk 0.50.0 → 0.52.0

package/dist/auth.js

@@ -9,6 +9,8 @@
  * @zapier/zapier-sdk-cli package (imported via its `./login` subpath).
  */
 import { isClientCredentials, isPkceCredentials } from "./types/credentials";
+import { ZapierAuthenticationError } from "./types/errors";
+import { emitOnce } from "./utils/telemetry";
 import { resolveCredentials, getClientIdFromCredentials } from "./credentials";
 import { createMemoryCache } from "./cache";
 const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
@@ -61,8 +63,10 @@ async function resolveCache(options) {
     if (cliLogin?.createCache) {
         try {
             const cache = cliLogin.createCache();
-            cachedDefaultCache = cache;
-            return cache;
+            if (cache) {
+                cachedDefaultCache = cache;
+                return cache;
+            }
         }
         catch {
             // Fall through to in-memory if the CLI provider can't be constructed.
@@ -77,6 +81,12 @@ function entryIsValid(entry) {
         return true;
     return entry.expiresAt > Date.now() + TOKEN_EXPIRATION_BUFFER_MS;
 }
+async function readCachedToken(cacheKey, cache) {
+    const cached = await cache.get(cacheKey);
+    if (cached && entryIsValid(cached))
+        return cached.value;
+    return undefined;
+}
 /**
  * Invalidate the cached token for a given client_credentials identity.
  * Called on 401 so the next request re-exchanges. Clears both the
@@ -227,6 +237,23 @@ export function isCliLoginAvailable() {
         return undefined;
     return cachedCliLogin !== false;
 }
+function emitAuthResolved(onEvent, mechanism) {
+    if (onEvent) {
+        emitOnce(onEvent, {
+            type: "auth_resolved",
+            payload: { mechanism },
+            timestamp: Date.now(),
+        });
+    }
+}
+async function getActiveCredentialsFromCli(baseUrl) {
+    const cliLogin = await getCliLogin();
+    return cliLogin?.getActiveCredentials?.({ baseUrl });
+}
+async function getStoredClientCredentialsFromCli(baseUrl) {
+    const cliLogin = await getCliLogin();
+    return cliLogin?.getStoredClientCredentials?.({ baseUrl });
+}
 /**
  * Attempts to get a token from the CLI login package.
  *
@@ -239,6 +266,47 @@ export async function getTokenFromCliLogin(options) {
         return undefined;
     return await cliLogin.getToken(options);
 }
+async function tryStoredClientCredentialToken(options) {
+    const activeCredential = await getActiveCredentialsFromCli(options.baseUrl);
+    if (!activeCredential)
+        return undefined;
+    const resolvedBaseUrl = activeCredential.baseUrl || options.baseUrl || DEFAULT_AUTH_BASE_URL;
+    const mergedScopes = mergeScopes(activeCredential.scopes.join(" "), options.requiredScopes);
+    const cacheKey = buildCacheKey({
+        clientId: activeCredential.clientId,
+        scopes: mergedScopes,
+        baseUrl: resolvedBaseUrl,
+    });
+    const cache = await resolveCache(options);
+    const pending = pendingExchanges.get(cacheKey);
+    if (pending)
+        return pending;
+    const cached = await readCachedToken(cacheKey, cache);
+    if (cached !== undefined) {
+        if (options.debug)
+            console.log(`[auth] Using cached token (clientId: ${activeCredential.clientId})`);
+        emitAuthResolved(options.onEvent, "client_credentials");
+        return cached;
+    }
+    const storedCredential = await getStoredClientCredentialsFromCli(resolvedBaseUrl);
+    if (!storedCredential) {
+        // Active credential pointer exists but the keychain secret is missing.
+        // Falling back to JWT would silently downgrade a migrated user; surface
+        // the broken state so they re-run login to recreate the secret.
+        await invalidateCachedToken({
+            clientId: activeCredential.clientId,
+            scopes: activeCredential.scopes,
+            baseUrl: resolvedBaseUrl,
+            cache: options.cache,
+        });
+        throw new ZapierAuthenticationError(`Stored client credential is missing its secret (clientId: ${activeCredential.clientId}). Run \`zapier-sdk login\` to recreate it.`);
+    }
+    if (options.debug)
+        console.log(`[auth] Using stored client credential (clientId: ${storedCredential.clientId})`);
+    const token = await resolveAuthTokenFromCredentials(storedCredential, options);
+    emitAuthResolved(options.onEvent, "client_credentials");
+    return token;
+}
 /**
  * Resolves an auth token from wherever it can be found.
  *
@@ -265,19 +333,28 @@ export async function resolveAuthToken(options = {}) {
     if (credentials !== undefined) {
         return resolveAuthTokenFromCredentials(credentials, options);
     }
-    // No credentials from options or env, try CLI login for stored token
-    return getTokenFromCliLogin({
+    const storedToken = await tryStoredClientCredentialToken(options);
+    if (storedToken !== undefined)
+        return storedToken;
+    if (options.debug) {
+        console.log("[auth] Using JWT (no stored client credential found)");
+    }
+    const jwtToken = await getTokenFromCliLogin({
         onEvent: options.onEvent,
         fetch: options.fetch,
         debug: options.debug,
     });
+    if (jwtToken !== undefined) {
+        emitAuthResolved(options.onEvent, "jwt");
+    }
+    return jwtToken;
 }
 /**
  * Resolve an auth token from resolved credentials.
  */
 async function resolveAuthTokenFromCredentials(credentials, options) {
-    // String credentials are used directly as tokens
     if (typeof credentials === "string") {
+        emitAuthResolved(options.onEvent, "token");
         return credentials;
     }
     // Client credentials: exchange + cache through a pluggable cache
@@ -299,9 +376,12 @@ async function resolveAuthTokenFromCredentials(credentials, options) {
         });
         const cache = await resolveCache(options);
         // Fast-path read
-        const cached = await cache.get(cacheKey);
-        if (cached && entryIsValid(cached)) {
-            return cached.value;
+        const cached = await readCachedToken(cacheKey, cache);
+        if (cached !== undefined) {
+            if (options.debug) {
+                console.log(`[auth] Using cached token (clientId: ${clientId})`);
+            }
+            return cached;
         }
         // In-process dedup
         const pending = pendingExchanges.get(cacheKey);
@@ -312,9 +392,13 @@ async function resolveAuthTokenFromCredentials(credentials, options) {
         // cache under the lock and uses the first's token instead of firing
         // another exchange.
         const runLocked = async () => {
-            const recheck = await cache.get(cacheKey);
-            if (recheck && entryIsValid(recheck))
-                return recheck.value;
+            const recheck = await readCachedToken(cacheKey, cache);
+            if (recheck !== undefined) {
+                if (options.debug) {
+                    console.log(`[auth] Using cached token (clientId: ${clientId}, locked recheck)`);
+                }
+                return recheck;
+            }
             const { accessToken, expiresIn } = await exchangeClientCredentials({
                 clientId: credentials.clientId,
                 clientSecret: credentials.clientSecret,

package/dist/constants.d.ts

@@ -30,6 +30,22 @@ export declare const DEFAULT_ACTION_TIMEOUT_MS = 180000;
  */
 export declare const ZAPIER_MAX_NETWORK_RETRIES: number;
 export declare const ZAPIER_MAX_NETWORK_RETRY_DELAY_MS: number;
+/**
+ * Upper bound on the concurrency cap. Anything beyond this is almost
+ * certainly a configuration mistake and would also bypass IEEE 754 safe
+ * integer range for inputs like "9".repeat(309), which would silently
+ * become Infinity and disable throttling.
+ */
+export declare const MAX_CONCURRENCY_LIMIT = 10000;
+export declare function parseConcurrencyEnvVar(name: string): number | undefined;
+/**
+ * Default cap on concurrent in-flight HTTP requests per SDK instance.
+ * Beyond this, requests queue (FIFO) until a slot frees up. Sized for
+ * production workloads that fan out hundreds of action runs in parallel;
+ * lower it when running against a smaller backend or to be more
+ * conservative. Pass `Infinity` to disable.
+ */
+export declare const ZAPIER_MAX_CONCURRENT_REQUESTS: number;
 /**
  * Approval flow behavior from environment variable.
  * - "disabled": (default when env var is unset) Throw a ZapierApprovalError on

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,eAAO,MAAM,eAAe,QACsC,CAAC;AAEnE;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAExD;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,QAAQ,CAAC;AAEpC;;GAEG;AACH,eAAO,MAAM,iBAAiB,MAAM,CAAC;AAErC;;GAEG;AACH,eAAO,MAAM,yBAAyB,SAAU,CAAC;AAejD;;GAEG;AACH,eAAO,MAAM,0BAA0B,QACY,CAAC;AACpD,eAAO,MAAM,iCAAiC,QACiB,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,IACjC,UAAU,GACV,MAAM,GACN,OAAO,GACP,SAAS,CAKZ;AAED;;GAEG;AACH,eAAO,MAAM,2BAA2B,QAAiB,CAAC;AAE1D;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,IAAI,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,eAAO,MAAM,eAAe,QACsC,CAAC;AAEnE;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAExD;AAED;;GAEG;AACH,eAAO,MAAM,cAAc,QAAQ,CAAC;AAEpC;;GAEG;AACH,eAAO,MAAM,iBAAiB,MAAM,CAAC;AAErC;;GAEG;AACH,eAAO,MAAM,yBAAyB,SAAU,CAAC;AAejD;;GAEG;AACH,eAAO,MAAM,0BAA0B,QACY,CAAC;AACpD,eAAO,MAAM,iCAAiC,QACiB,CAAC;AAEhE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,QAAS,CAAC;AAE5C,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAYvE;AAED;;;;;;GAMG;AACH,eAAO,MAAM,8BAA8B,QACsB,CAAC;AAElE;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,IACjC,UAAU,GACV,MAAM,GACN,OAAO,GACP,SAAS,CAKZ;AAED;;GAEG;AACH,eAAO,MAAM,2BAA2B,QAAiB,CAAC;AAE1D;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,IAAI,CAAC"}

package/dist/constants.js

@@ -43,6 +43,35 @@ function parseIntEnvVar(name) {
  */
 export const ZAPIER_MAX_NETWORK_RETRIES = parseIntEnvVar("ZAPIER_MAX_NETWORK_RETRIES") ?? 3;
 export const ZAPIER_MAX_NETWORK_RETRY_DELAY_MS = parseIntEnvVar("ZAPIER_MAX_NETWORK_RETRY_DELAY_MS") ?? 60000;
+/**
+ * Upper bound on the concurrency cap. Anything beyond this is almost
+ * certainly a configuration mistake and would also bypass IEEE 754 safe
+ * integer range for inputs like "9".repeat(309), which would silently
+ * become Infinity and disable throttling.
+ */
+export const MAX_CONCURRENCY_LIMIT = 10000;
+export function parseConcurrencyEnvVar(name) {
+    const value = globalThis.process?.env?.[name];
+    if (!value)
+        return undefined;
+    if (value === "Infinity")
+        return Infinity;
+    if (/^[1-9]\d*$/.test(value)) {
+        const parsed = parseInt(value, 10);
+        if (parsed <= MAX_CONCURRENCY_LIMIT)
+            return parsed;
+    }
+    console.warn(`[zapier-sdk] Invalid value for ${name}: "${value}" (expected positive integer 1-${MAX_CONCURRENCY_LIMIT} or "Infinity")`);
+    return undefined;
+}
+/**
+ * Default cap on concurrent in-flight HTTP requests per SDK instance.
+ * Beyond this, requests queue (FIFO) until a slot frees up. Sized for
+ * production workloads that fan out hundreds of action runs in parallel;
+ * lower it when running against a smaller backend or to be more
+ * conservative. Pass `Infinity` to disable.
+ */
+export const ZAPIER_MAX_CONCURRENT_REQUESTS = parseConcurrencyEnvVar("ZAPIER_MAX_CONCURRENT_REQUESTS") ?? 200;
 /**
  * Approval flow behavior from environment variable.
  * - "disabled": (default when env var is unset) Throw a ZapierApprovalError on