integrate-sdk 0.9.42-dev.0 → 0.9.43-dev.0

package/dist/adapters/svelte-kit.js

@@ -2556,6 +2556,148 @@ class IndexedDBStorage {
 
 // ../oauth/manager.ts
 init_email_fetcher();
+
+// ../oauth/refresh.ts
+class RefreshRejectedError extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message ?? `OAuth refresh rejected (invalid_grant) for ${provider}`);
+    this.name = "RefreshRejectedError";
+    this.provider = provider;
+  }
+}
+
+class RefreshTransientError extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message);
+    this.name = "RefreshTransientError";
+    this.provider = provider;
+  }
+}
+var DEFAULT_REFRESH_WINDOW_MS = 2 * 60 * 1000;
+function shouldRefreshToken(tokenData, windowMs = DEFAULT_REFRESH_WINDOW_MS) {
+  if (!tokenData || !tokenData.refreshToken || !tokenData.expiresAt) {
+    return false;
+  }
+  const expiresAtMs = Date.parse(tokenData.expiresAt);
+  if (Number.isNaN(expiresAtMs)) {
+    return false;
+  }
+  return expiresAtMs - Date.now() <= windowMs;
+}
+async function refreshViaMcp(opts) {
+  const url = new URL("/oauth/refresh", opts.serverUrl);
+  const body = {
+    provider: opts.provider,
+    refresh_token: opts.refreshToken,
+    client_id: opts.clientId
+  };
+  if (opts.clientSecret) {
+    body.client_secret = opts.clientSecret;
+  }
+  if (opts.subdomain) {
+    body.subdomain = opts.subdomain;
+  }
+  if (opts.extraConfig) {
+    for (const [key, value] of Object.entries(opts.extraConfig)) {
+      if (body[key] === undefined) {
+        body[key] = value;
+      }
+    }
+  }
+  const headers = { "Content-Type": "application/json" };
+  if (opts.apiKey) {
+    headers["X-API-KEY"] = opts.apiKey;
+  }
+  let response;
+  try {
+    response = await fetch(url.toString(), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+      signal: opts.signal
+    });
+  } catch (err) {
+    throw new RefreshTransientError(opts.provider, `Network error refreshing ${opts.provider} token: ${err.message}`);
+  }
+  if (response.status === 401) {
+    let parsed = {};
+    try {
+      parsed = await response.json();
+    } catch {}
+    if (parsed.error === "invalid_grant") {
+      throw new RefreshRejectedError(opts.provider);
+    }
+    throw new RefreshTransientError(opts.provider, `Refresh endpoint returned 401`);
+  }
+  if (!response.ok) {
+    let text = "";
+    try {
+      text = await response.text();
+    } catch {}
+    throw new RefreshTransientError(opts.provider, `Refresh endpoint returned ${response.status}: ${text || "<no body>"}`);
+  }
+  let result;
+  try {
+    result = await response.json();
+  } catch (err) {
+    throw new RefreshTransientError(opts.provider, `Malformed refresh response: ${err.message}`);
+  }
+  if (!result.accessToken) {
+    throw new RefreshTransientError(opts.provider, `Refresh response missing access_token`);
+  }
+  if (!result.refreshToken) {
+    result.refreshToken = opts.refreshToken;
+  }
+  return result;
+}
+async function resolveAccessToken(opts) {
+  const { provider, currentTokens, force = false } = opts;
+  const needsRefresh = force || shouldRefreshToken(currentTokens, opts.windowMs);
+  if (!needsRefresh || !currentTokens.refreshToken) {
+    return currentTokens.accessToken;
+  }
+  try {
+    const refreshed = await refreshViaMcp({
+      provider,
+      refreshToken: currentTokens.refreshToken,
+      clientId: opts.providerOAuth.clientId,
+      clientSecret: opts.providerOAuth.clientSecret,
+      subdomain: opts.providerOAuth.subdomain,
+      extraConfig: opts.providerOAuth.extraConfig,
+      serverUrl: opts.serverUrl,
+      apiKey: opts.apiKey
+    });
+    const updated = {
+      ...currentTokens,
+      accessToken: refreshed.accessToken,
+      refreshToken: refreshed.refreshToken ?? currentTokens.refreshToken,
+      tokenType: refreshed.tokenType || currentTokens.tokenType,
+      expiresIn: refreshed.expiresIn ?? currentTokens.expiresIn,
+      expiresAt: refreshed.expiresAt ?? currentTokens.expiresAt,
+      scopes: refreshed.scopes && refreshed.scopes.length > 0 ? refreshed.scopes : currentTokens.scopes
+    };
+    if (opts.setProviderToken) {
+      try {
+        await opts.setProviderToken(provider, updated, updated.email, opts.context);
+      } catch {}
+    }
+    return updated.accessToken;
+  } catch (err) {
+    if (err instanceof RefreshRejectedError) {
+      if (opts.setProviderToken) {
+        try {
+          await opts.setProviderToken(provider, null, currentTokens.email, opts.context);
+        } catch {}
+      }
+      throw err;
+    }
+    return currentTokens.accessToken;
+  }
+}
+
+// ../oauth/manager.ts
 init_logger();
 var logger6 = createLogger("OAuth");
 
@@ -2571,7 +2713,10 @@ class OAuthManager {
   removeTokenCallback;
   indexedDBStorage;
   skipLocalStorage = false;
-  constructor(oauthApiBase, flowConfig, apiBaseUrl, tokenCallbacks) {
+  providerOAuth = {};
+  mcpServerUrl;
+  mcpApiKey;
+  constructor(oauthApiBase, flowConfig, apiBaseUrl, tokenCallbacks, refreshConfig) {
     this.oauthApiBase = oauthApiBase;
     this.apiBaseUrl = apiBaseUrl;
     this.windowManager = new OAuthWindowManager;
@@ -2583,6 +2728,9 @@ class OAuthManager {
     this.getTokenCallback = tokenCallbacks?.getProviderToken;
     this.setTokenCallback = tokenCallbacks?.setProviderToken;
     this.removeTokenCallback = tokenCallbacks?.removeProviderToken;
+    this.providerOAuth = refreshConfig?.providers ?? {};
+    this.mcpServerUrl = refreshConfig?.mcpServerUrl;
+    this.mcpApiKey = refreshConfig?.apiKey;
     this.indexedDBStorage = new IndexedDBStorage;
     this.cleanupExpiredPendingAuths();
   }
@@ -2792,7 +2940,9 @@ class OAuthManager {
       try {
         const tokenData = await this.getTokenCallback(provider, email, context);
         if (tokenData) {
-          this.providerTokens.set(provider, tokenData);
+          const refreshed = await this.maybeRefreshTokenData(provider, tokenData, context);
+          this.providerTokens.set(provider, refreshed);
+          return refreshed;
         }
         return tokenData;
       } catch (error) {
@@ -2832,6 +2982,59 @@ class OAuthManager {
     }
     await this.saveProviderToken(provider, tokenData, tokenEmail, context);
   }
+  configureTokenRefresh(refreshConfig) {
+    if (refreshConfig.providers) {
+      this.providerOAuth = refreshConfig.providers;
+    }
+    if (refreshConfig.mcpServerUrl !== undefined) {
+      this.mcpServerUrl = refreshConfig.mcpServerUrl;
+    }
+    if (refreshConfig.apiKey !== undefined) {
+      this.mcpApiKey = refreshConfig.apiKey;
+    }
+  }
+  async maybeRefreshTokenData(provider, tokenData, context) {
+    const credentials = this.providerOAuth[provider];
+    const serverUrl = this.mcpServerUrl;
+    if (!credentials || !serverUrl) {
+      return tokenData;
+    }
+    if (!shouldRefreshToken(tokenData)) {
+      return tokenData;
+    }
+    try {
+      const newAccessToken = await resolveAccessToken({
+        provider,
+        currentTokens: tokenData,
+        providerOAuth: {
+          clientId: credentials.clientId,
+          clientSecret: credentials.clientSecret,
+          subdomain: credentials.config?.subdomain
+        },
+        serverUrl,
+        apiKey: this.mcpApiKey,
+        setProviderToken: this.setTokenCallback,
+        context
+      });
+      if (newAccessToken === tokenData.accessToken) {
+        return tokenData;
+      }
+      if (this.getTokenCallback) {
+        try {
+          const reloaded = await this.getTokenCallback(provider, tokenData.email, context);
+          if (reloaded) {
+            return reloaded;
+          }
+        } catch {}
+      }
+      return { ...tokenData, accessToken: newAccessToken };
+    } catch (err) {
+      if (err instanceof RefreshRejectedError) {
+        throw err;
+      }
+      return tokenData;
+    }
+  }
   clearProviderToken(provider) {
     this.providerTokens.delete(provider);
     if (!this.setTokenCallback && !this.removeTokenCallback && !this.skipLocalStorage) {
@@ -3288,10 +3491,26 @@ class MCPClientBase {
     };
     this.onReauthRequired = config.onReauthRequired;
     this.maxReauthRetries = config.maxReauthRetries ?? 1;
+    const refreshProviders = {};
+    for (const integration of this.integrations) {
+      const oauth = integration?.oauth;
+      if (oauth?.clientId && oauth?.provider) {
+        refreshProviders[oauth.provider] = {
+          clientId: oauth.clientId,
+          clientSecret: oauth.clientSecret,
+          config: oauth.config
+        };
+      }
+    }
+    const mcpServerUrl = config.serverUrl;
     this.oauthManager = new OAuthManager(oauthApiBase, config.oauthFlow, this.apiBaseUrl, {
       getProviderToken: config.getProviderToken,
       setProviderToken: config.setProviderToken,
       removeProviderToken: config.removeProviderToken
+    }, {
+      providers: refreshProviders,
+      mcpServerUrl,
+      apiKey: config.apiKey
     });
     this.setSessionToken(config.sessionToken || this.loadSessionTokenFromStorage());
     for (const integration of this.integrations) {

package/dist/index.js

@@ -1767,6 +1767,146 @@ async function fetchNotionEmail(accessToken) {
   }
 }
 
+// src/oauth/refresh.ts
+class RefreshRejectedError extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message ?? `OAuth refresh rejected (invalid_grant) for ${provider}`);
+    this.name = "RefreshRejectedError";
+    this.provider = provider;
+  }
+}
+
+class RefreshTransientError extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message);
+    this.name = "RefreshTransientError";
+    this.provider = provider;
+  }
+}
+var DEFAULT_REFRESH_WINDOW_MS = 2 * 60 * 1000;
+function shouldRefreshToken(tokenData, windowMs = DEFAULT_REFRESH_WINDOW_MS) {
+  if (!tokenData || !tokenData.refreshToken || !tokenData.expiresAt) {
+    return false;
+  }
+  const expiresAtMs = Date.parse(tokenData.expiresAt);
+  if (Number.isNaN(expiresAtMs)) {
+    return false;
+  }
+  return expiresAtMs - Date.now() <= windowMs;
+}
+async function refreshViaMcp(opts) {
+  const url = new URL("/oauth/refresh", opts.serverUrl);
+  const body = {
+    provider: opts.provider,
+    refresh_token: opts.refreshToken,
+    client_id: opts.clientId
+  };
+  if (opts.clientSecret) {
+    body.client_secret = opts.clientSecret;
+  }
+  if (opts.subdomain) {
+    body.subdomain = opts.subdomain;
+  }
+  if (opts.extraConfig) {
+    for (const [key, value] of Object.entries(opts.extraConfig)) {
+      if (body[key] === undefined) {
+        body[key] = value;
+      }
+    }
+  }
+  const headers = { "Content-Type": "application/json" };
+  if (opts.apiKey) {
+    headers["X-API-KEY"] = opts.apiKey;
+  }
+  let response;
+  try {
+    response = await fetch(url.toString(), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+      signal: opts.signal
+    });
+  } catch (err) {
+    throw new RefreshTransientError(opts.provider, `Network error refreshing ${opts.provider} token: ${err.message}`);
+  }
+  if (response.status === 401) {
+    let parsed = {};
+    try {
+      parsed = await response.json();
+    } catch {}
+    if (parsed.error === "invalid_grant") {
+      throw new RefreshRejectedError(opts.provider);
+    }
+    throw new RefreshTransientError(opts.provider, `Refresh endpoint returned 401`);
+  }
+  if (!response.ok) {
+    let text = "";
+    try {
+      text = await response.text();
+    } catch {}
+    throw new RefreshTransientError(opts.provider, `Refresh endpoint returned ${response.status}: ${text || "<no body>"}`);
+  }
+  let result;
+  try {
+    result = await response.json();
+  } catch (err) {
+    throw new RefreshTransientError(opts.provider, `Malformed refresh response: ${err.message}`);
+  }
+  if (!result.accessToken) {
+    throw new RefreshTransientError(opts.provider, `Refresh response missing access_token`);
+  }
+  if (!result.refreshToken) {
+    result.refreshToken = opts.refreshToken;
+  }
+  return result;
+}
+async function resolveAccessToken(opts) {
+  const { provider, currentTokens, force = false } = opts;
+  const needsRefresh = force || shouldRefreshToken(currentTokens, opts.windowMs);
+  if (!needsRefresh || !currentTokens.refreshToken) {
+    return currentTokens.accessToken;
+  }
+  try {
+    const refreshed = await refreshViaMcp({
+      provider,
+      refreshToken: currentTokens.refreshToken,
+      clientId: opts.providerOAuth.clientId,
+      clientSecret: opts.providerOAuth.clientSecret,
+      subdomain: opts.providerOAuth.subdomain,
+      extraConfig: opts.providerOAuth.extraConfig,
+      serverUrl: opts.serverUrl,
+      apiKey: opts.apiKey
+    });
+    const updated = {
+      ...currentTokens,
+      accessToken: refreshed.accessToken,
+      refreshToken: refreshed.refreshToken ?? currentTokens.refreshToken,
+      tokenType: refreshed.tokenType || currentTokens.tokenType,
+      expiresIn: refreshed.expiresIn ?? currentTokens.expiresIn,
+      expiresAt: refreshed.expiresAt ?? currentTokens.expiresAt,
+      scopes: refreshed.scopes && refreshed.scopes.length > 0 ? refreshed.scopes : currentTokens.scopes
+    };
+    if (opts.setProviderToken) {
+      try {
+        await opts.setProviderToken(provider, updated, updated.email, opts.context);
+      } catch {}
+    }
+    return updated.accessToken;
+  } catch (err) {
+    if (err instanceof RefreshRejectedError) {
+      if (opts.setProviderToken) {
+        try {
+          await opts.setProviderToken(provider, null, currentTokens.email, opts.context);
+        } catch {}
+      }
+      throw err;
+    }
+    return currentTokens.accessToken;
+  }
+}
+
 // src/oauth/manager.ts
 var logger4 = createLogger("OAuth");
 
@@ -1782,7 +1922,10 @@ class OAuthManager {
   removeTokenCallback;
   indexedDBStorage;
   skipLocalStorage = false;
-  constructor(oauthApiBase, flowConfig, apiBaseUrl, tokenCallbacks) {
+  providerOAuth = {};
+  mcpServerUrl;
+  mcpApiKey;
+  constructor(oauthApiBase, flowConfig, apiBaseUrl, tokenCallbacks, refreshConfig) {
     this.oauthApiBase = oauthApiBase;
     this.apiBaseUrl = apiBaseUrl;
     this.windowManager = new OAuthWindowManager;
@@ -1794,6 +1937,9 @@ class OAuthManager {
     this.getTokenCallback = tokenCallbacks?.getProviderToken;
     this.setTokenCallback = tokenCallbacks?.setProviderToken;
     this.removeTokenCallback = tokenCallbacks?.removeProviderToken;
+    this.providerOAuth = refreshConfig?.providers ?? {};
+    this.mcpServerUrl = refreshConfig?.mcpServerUrl;
+    this.mcpApiKey = refreshConfig?.apiKey;
     this.indexedDBStorage = new IndexedDBStorage;
     this.cleanupExpiredPendingAuths();
   }
@@ -2003,7 +2149,9 @@ class OAuthManager {
       try {
         const tokenData = await this.getTokenCallback(provider, email, context);
         if (tokenData) {
-          this.providerTokens.set(provider, tokenData);
+          const refreshed = await this.maybeRefreshTokenData(provider, tokenData, context);
+          this.providerTokens.set(provider, refreshed);
+          return refreshed;
         }
         return tokenData;
       } catch (error) {
@@ -2043,6 +2191,59 @@ class OAuthManager {
     }
     await this.saveProviderToken(provider, tokenData, tokenEmail, context);
   }
+  configureTokenRefresh(refreshConfig) {
+    if (refreshConfig.providers) {
+      this.providerOAuth = refreshConfig.providers;
+    }
+    if (refreshConfig.mcpServerUrl !== undefined) {
+      this.mcpServerUrl = refreshConfig.mcpServerUrl;
+    }
+    if (refreshConfig.apiKey !== undefined) {
+      this.mcpApiKey = refreshConfig.apiKey;
+    }
+  }
+  async maybeRefreshTokenData(provider, tokenData, context) {
+    const credentials = this.providerOAuth[provider];
+    const serverUrl = this.mcpServerUrl;
+    if (!credentials || !serverUrl) {
+      return tokenData;
+    }
+    if (!shouldRefreshToken(tokenData)) {
+      return tokenData;
+    }
+    try {
+      const newAccessToken = await resolveAccessToken({
+        provider,
+        currentTokens: tokenData,
+        providerOAuth: {
+          clientId: credentials.clientId,
+          clientSecret: credentials.clientSecret,
+          subdomain: credentials.config?.subdomain
+        },
+        serverUrl,
+        apiKey: this.mcpApiKey,
+        setProviderToken: this.setTokenCallback,
+        context
+      });
+      if (newAccessToken === tokenData.accessToken) {
+        return tokenData;
+      }
+      if (this.getTokenCallback) {
+        try {
+          const reloaded = await this.getTokenCallback(provider, tokenData.email, context);
+          if (reloaded) {
+            return reloaded;
+          }
+        } catch {}
+      }
+      return { ...tokenData, accessToken: newAccessToken };
+    } catch (err) {
+      if (err instanceof RefreshRejectedError) {
+        throw err;
+      }
+      return tokenData;
+    }
+  }
   clearProviderToken(provider) {
     this.providerTokens.delete(provider);
     if (!this.setTokenCallback && !this.removeTokenCallback && !this.skipLocalStorage) {
@@ -2501,10 +2702,26 @@ class MCPClientBase {
     };
     this.onReauthRequired = config.onReauthRequired;
     this.maxReauthRetries = config.maxReauthRetries ?? 1;
+    const refreshProviders = {};
+    for (const integration of this.integrations) {
+      const oauth = integration?.oauth;
+      if (oauth?.clientId && oauth?.provider) {
+        refreshProviders[oauth.provider] = {
+          clientId: oauth.clientId,
+          clientSecret: oauth.clientSecret,
+          config: oauth.config
+        };
+      }
+    }
+    const mcpServerUrl = config.serverUrl;
     this.oauthManager = new OAuthManager(oauthApiBase, config.oauthFlow, this.apiBaseUrl, {
       getProviderToken: config.getProviderToken,
       setProviderToken: config.setProviderToken,
       removeProviderToken: config.removeProviderToken
+    }, {
+      providers: refreshProviders,
+      mcpServerUrl,
+      apiKey: config.apiKey
     });
     this.setSessionToken(config.sessionToken || this.loadSessionTokenFromStorage());
     for (const integration of this.integrations) {
@@ -9041,12 +9258,15 @@ export {
   supabaseIntegration,
   stripeIntegration,
   slackIntegration,
+  shouldRefreshToken,
   shopifyIntegration,
   sharepointIntegration,
   sentryIntegration,
   sendCallbackToOpener,
   salesforceIntegration,
+  resolveAccessToken,
   resendIntegration,
+  refreshViaMcp,
   redisIntegration,
   redditIntegration,
   rampIntegration,
@@ -9135,6 +9355,8 @@ export {
   TriggerClient,
   ToolCallError,
   TokenExpiredError,
+  RefreshTransientError,
+  RefreshRejectedError,
   OAuthWindowManager,
   OAuthManager,
   OAuthHandler,
@@ -9144,6 +9366,7 @@ export {
   IntegrateSDKError,
   INTEGRATION_CATEGORY_ORDER,
   HttpSessionTransport,
+  DEFAULT_REFRESH_WINDOW_MS,
   ConnectionError,
   AuthorizationError,
   AuthenticationError