integrate-sdk 0.9.42-dev.0 → 0.9.44-dev.0

package/dist/server.js

@@ -736,104 +736,267 @@ function base64UrlDecode(str) {
 
 // src/oauth/email-fetcher.ts
 async function fetchUserEmail(provider, tokenData) {
+  const fetcher = EMAIL_FETCHERS[provider.toLowerCase()];
+  if (!fetcher) {
+    return tokenData.email;
+  }
   try {
-    switch (provider.toLowerCase()) {
-      case "github":
-        return await fetchGitHubEmail(tokenData.accessToken);
-      case "gmail":
-      case "google":
-        return await fetchGoogleEmail(tokenData.accessToken);
-      case "notion":
-        return await fetchNotionEmail(tokenData.accessToken);
-      default:
-        return tokenData.email;
-    }
+    const email = await fetcher(tokenData);
+    return email ?? tokenData.email;
   } catch (error) {
     logger3.error(`Failed to fetch email for ${provider}:`, error);
-    return;
+    return tokenData.email;
   }
 }
-async function fetchGitHubEmail(accessToken) {
-  try {
-    const userResponse = await fetch("https://api.github.com/user", {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        Accept: "application/vnd.github.v3+json"
-      }
-    });
-    if (!userResponse.ok) {
-      return;
-    }
-    const user = await userResponse.json();
-    if (user.email) {
-      return user.email;
-    }
-    const emailsResponse = await fetch("https://api.github.com/user/emails", {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        Accept: "application/vnd.github.v3+json"
-      }
-    });
-    if (!emailsResponse.ok) {
-      return;
-    }
-    const emails = await emailsResponse.json();
-    const primaryEmail = emails.find((e) => e.primary && e.verified);
-    if (primaryEmail) {
-      return primaryEmail.email;
+async function fetchGitHubEmail(token) {
+  const headers = {
+    Authorization: `Bearer ${token.accessToken}`,
+    Accept: "application/vnd.github.v3+json"
+  };
+  const userResponse = await fetch("https://api.github.com/user", { headers });
+  if (!userResponse.ok)
+    return;
+  const user = await userResponse.json();
+  if (user.email)
+    return user.email;
+  const emailsResponse = await fetch("https://api.github.com/user/emails", { headers });
+  if (!emailsResponse.ok)
+    return;
+  const emails = await emailsResponse.json();
+  const primary = emails.find((e) => e.primary && e.verified);
+  if (primary)
+    return primary.email;
+  const verified = emails.find((e) => e.verified);
+  if (verified)
+    return verified.email;
+  return emails[0]?.email;
+}
+async function fetchGoogleEmail(token) {
+  const response = await fetch("https://www.googleapis.com/oauth2/v2/userinfo", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const user = await response.json();
+  return user.email;
+}
+async function fetchNotionEmail(token) {
+  const response = await fetch("https://api.notion.com/v1/users/me", {
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`,
+      "Notion-Version": "2022-06-28"
     }
-    const verifiedEmail = emails.find((e) => e.verified);
-    if (verifiedEmail) {
-      return verifiedEmail.email;
+  });
+  if (!response.ok)
+    return;
+  const user = await response.json();
+  return user.person?.email ?? user.bot?.owner?.user?.person?.email;
+}
+async function fetchLinearEmail(token) {
+  const response = await fetch("https://api.linear.app/graphql", {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ query: "{ viewer { email } }" })
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.data?.viewer?.email;
+}
+async function fetchHubSpotEmail(token) {
+  const url = `https://api.hubapi.com/oauth/v1/access-tokens/${encodeURIComponent(token.accessToken)}`;
+  const response = await fetch(url);
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.user;
+}
+async function fetchPolarEmail(token) {
+  const response = await fetch("https://api.polar.sh/v1/oauth2/userinfo", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.email;
+}
+async function fetchTodoistEmail(token) {
+  const response = await fetch("https://api.todoist.com/sync/v9/sync", {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`,
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: 'sync_token=*&resource_types=["user"]'
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.user?.email;
+}
+async function fetchVercelEmail(token) {
+  const response = await fetch("https://api.vercel.com/v2/user", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.user?.email ?? body.email;
+}
+async function fetchSlackEmail(token) {
+  const response = await fetch("https://slack.com/api/users.identity", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  if (!body.ok)
+    return;
+  return body.user?.email;
+}
+async function fetchIntercomEmail(token) {
+  const response = await fetch("https://api.intercom.io/me", {
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`,
+      Accept: "application/json"
     }
-    if (emails.length > 0 && emails[0]?.email) {
-      return emails[0].email;
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.email;
+}
+async function fetchAtlassianEmail(token) {
+  const response = await fetch("https://api.atlassian.com/me", {
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`,
+      Accept: "application/json"
     }
+  });
+  if (!response.ok)
     return;
-  } catch (error) {
-    logger3.error("Failed to fetch GitHub email:", error);
+  const body = await response.json();
+  return body.email;
+}
+async function fetchZendeskEmail(token) {
+  const subdomain = token.providerConfig?.subdomain?.trim();
+  if (!subdomain)
     return;
-  }
+  const response = await fetch(`https://${subdomain}.zendesk.com/api/v2/users/me.json`, {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.user?.email;
 }
-async function fetchGoogleEmail(accessToken) {
-  try {
-    const response = await fetch("https://www.googleapis.com/oauth2/v2/userinfo", {
-      headers: {
-        Authorization: `Bearer ${accessToken}`
-      }
-    });
-    if (!response.ok) {
-      return;
-    }
-    const user = await response.json();
-    return user.email;
-  } catch (error) {
-    logger3.error("Failed to fetch Google email:", error);
+async function fetchAirtableEmail(token) {
+  const response = await fetch("https://api.airtable.com/v0/meta/whoami", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
     return;
-  }
+  const body = await response.json();
+  return body.email;
 }
-async function fetchNotionEmail(accessToken) {
-  try {
-    const response = await fetch("https://api.notion.com/v1/users/me", {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Notion-Version": "2022-06-28"
-      }
-    });
-    if (!response.ok) {
-      return;
+async function fetchDiscordEmail(token) {
+  const response = await fetch("https://discord.com/api/users/@me", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.email;
+}
+async function fetchDropboxEmail(token) {
+  const response = await fetch("https://api.dropboxapi.com/2/users/get_current_account", {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`
+    },
+    body: "null"
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.email;
+}
+async function fetchGitLabEmail(token) {
+  const response = await fetch("https://gitlab.com/api/v4/user", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.email;
+}
+async function fetchRedditEmail(token) {
+  const response = await fetch("https://oauth.reddit.com/api/v1/me", {
+    headers: {
+      Authorization: `Bearer ${token.accessToken}`,
+      "User-Agent": "integrate-sdk"
     }
-    const user = await response.json();
-    return user.person?.email;
-  } catch (error) {
-    logger3.error("Failed to fetch Notion email:", error);
+  });
+  if (!response.ok)
     return;
-  }
+  const body = await response.json();
+  return body.name;
+}
+async function fetchMicrosoftEmail(token) {
+  const response = await fetch("https://graph.microsoft.com/v1.0/me", {
+    headers: { Authorization: `Bearer ${token.accessToken}` }
+  });
+  if (!response.ok)
+    return;
+  const body = await response.json();
+  return body.mail ?? body.userPrincipalName;
 }
-var logger3;
+var logger3, EMAIL_FETCHERS;
 var init_email_fetcher = __esm(() => {
   init_logger();
   logger3 = createLogger("EmailFetcher");
+  EMAIL_FETCHERS = {
+    github: fetchGitHubEmail,
+    gmail: fetchGoogleEmail,
+    google: fetchGoogleEmail,
+    gcal: fetchGoogleEmail,
+    gdrive: fetchGoogleEmail,
+    gdocs: fetchGoogleEmail,
+    gsheets: fetchGoogleEmail,
+    gslides: fetchGoogleEmail,
+    gcontacts: fetchGoogleEmail,
+    gmeet: fetchGoogleEmail,
+    gchat: fetchGoogleEmail,
+    gtasks: fetchGoogleEmail,
+    ga4: fetchGoogleEmail,
+    youtube: fetchGoogleEmail,
+    notion: fetchNotionEmail,
+    linear: fetchLinearEmail,
+    hubspot: fetchHubSpotEmail,
+    polar: fetchPolarEmail,
+    todoist: fetchTodoistEmail,
+    vercel: fetchVercelEmail,
+    slack: fetchSlackEmail,
+    intercom: fetchIntercomEmail,
+    jira: fetchAtlassianEmail,
+    zendesk: fetchZendeskEmail,
+    airtable: fetchAirtableEmail,
+    discord: fetchDiscordEmail,
+    dropbox: fetchDropboxEmail,
+    gitlab: fetchGitLabEmail,
+    reddit: fetchRedditEmail,
+    outlook: fetchMicrosoftEmail,
+    teams: fetchMicrosoftEmail,
+    onedrive: fetchMicrosoftEmail,
+    sharepoint: fetchMicrosoftEmail,
+    excel: fetchMicrosoftEmail,
+    word: fetchMicrosoftEmail,
+    powerpoint: fetchMicrosoftEmail,
+    planner: fetchMicrosoftEmail
+  };
 });
 
 // src/utils/concurrency.ts
@@ -3276,6 +3439,148 @@ class IndexedDBStorage {
 
 // src/oauth/manager.ts
 init_email_fetcher();
+
+// src/oauth/refresh.ts
+class RefreshRejectedError extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message ?? `OAuth refresh rejected (invalid_grant) for ${provider}`);
+    this.name = "RefreshRejectedError";
+    this.provider = provider;
+  }
+}
+
+class RefreshTransientError extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message);
+    this.name = "RefreshTransientError";
+    this.provider = provider;
+  }
+}
+var DEFAULT_REFRESH_WINDOW_MS = 2 * 60 * 1000;
+function shouldRefreshToken(tokenData, windowMs = DEFAULT_REFRESH_WINDOW_MS) {
+  if (!tokenData || !tokenData.refreshToken || !tokenData.expiresAt) {
+    return false;
+  }
+  const expiresAtMs = Date.parse(tokenData.expiresAt);
+  if (Number.isNaN(expiresAtMs)) {
+    return false;
+  }
+  return expiresAtMs - Date.now() <= windowMs;
+}
+async function refreshViaMcp(opts) {
+  const url = new URL("/oauth/refresh", opts.serverUrl);
+  const body = {
+    provider: opts.provider,
+    refresh_token: opts.refreshToken,
+    client_id: opts.clientId
+  };
+  if (opts.clientSecret) {
+    body.client_secret = opts.clientSecret;
+  }
+  if (opts.subdomain) {
+    body.subdomain = opts.subdomain;
+  }
+  if (opts.extraConfig) {
+    for (const [key, value] of Object.entries(opts.extraConfig)) {
+      if (body[key] === undefined) {
+        body[key] = value;
+      }
+    }
+  }
+  const headers = { "Content-Type": "application/json" };
+  if (opts.apiKey) {
+    headers["X-API-KEY"] = opts.apiKey;
+  }
+  let response;
+  try {
+    response = await fetch(url.toString(), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+      signal: opts.signal
+    });
+  } catch (err) {
+    throw new RefreshTransientError(opts.provider, `Network error refreshing ${opts.provider} token: ${err.message}`);
+  }
+  if (response.status === 401) {
+    let parsed = {};
+    try {
+      parsed = await response.json();
+    } catch {}
+    if (parsed.error === "invalid_grant") {
+      throw new RefreshRejectedError(opts.provider);
+    }
+    throw new RefreshTransientError(opts.provider, `Refresh endpoint returned 401`);
+  }
+  if (!response.ok) {
+    let text = "";
+    try {
+      text = await response.text();
+    } catch {}
+    throw new RefreshTransientError(opts.provider, `Refresh endpoint returned ${response.status}: ${text || "<no body>"}`);
+  }
+  let result;
+  try {
+    result = await response.json();
+  } catch (err) {
+    throw new RefreshTransientError(opts.provider, `Malformed refresh response: ${err.message}`);
+  }
+  if (!result.accessToken) {
+    throw new RefreshTransientError(opts.provider, `Refresh response missing access_token`);
+  }
+  if (!result.refreshToken) {
+    result.refreshToken = opts.refreshToken;
+  }
+  return result;
+}
+async function resolveAccessToken(opts) {
+  const { provider, currentTokens, force = false } = opts;
+  const needsRefresh = force || shouldRefreshToken(currentTokens, opts.windowMs);
+  if (!needsRefresh || !currentTokens.refreshToken) {
+    return currentTokens.accessToken;
+  }
+  try {
+    const refreshed = await refreshViaMcp({
+      provider,
+      refreshToken: currentTokens.refreshToken,
+      clientId: opts.providerOAuth.clientId,
+      clientSecret: opts.providerOAuth.clientSecret,
+      subdomain: opts.providerOAuth.subdomain,
+      extraConfig: opts.providerOAuth.extraConfig,
+      serverUrl: opts.serverUrl,
+      apiKey: opts.apiKey
+    });
+    const updated = {
+      ...currentTokens,
+      accessToken: refreshed.accessToken,
+      refreshToken: refreshed.refreshToken ?? currentTokens.refreshToken,
+      tokenType: refreshed.tokenType || currentTokens.tokenType,
+      expiresIn: refreshed.expiresIn ?? currentTokens.expiresIn,
+      expiresAt: refreshed.expiresAt ?? currentTokens.expiresAt,
+      scopes: refreshed.scopes && refreshed.scopes.length > 0 ? refreshed.scopes : currentTokens.scopes
+    };
+    if (opts.setProviderToken) {
+      try {
+        await opts.setProviderToken(provider, updated, updated.email, opts.context);
+      } catch {}
+    }
+    return updated.accessToken;
+  } catch (err) {
+    if (err instanceof RefreshRejectedError) {
+      if (opts.setProviderToken) {
+        try {
+          await opts.setProviderToken(provider, null, currentTokens.email, opts.context);
+        } catch {}
+      }
+      throw err;
+    }
+    return currentTokens.accessToken;
+  }
+}
+
+// src/oauth/manager.ts
 init_logger();
 var logger4 = createLogger("OAuth");
 
@@ -3291,7 +3596,10 @@ class OAuthManager {
   removeTokenCallback;
   indexedDBStorage;
   skipLocalStorage = false;
-  constructor(oauthApiBase, flowConfig, apiBaseUrl, tokenCallbacks) {
+  providerOAuth = {};
+  mcpServerUrl;
+  mcpApiKey;
+  constructor(oauthApiBase, flowConfig, apiBaseUrl, tokenCallbacks, refreshConfig) {
     this.oauthApiBase = oauthApiBase;
     this.apiBaseUrl = apiBaseUrl;
     this.windowManager = new OAuthWindowManager;
@@ -3303,6 +3611,9 @@ class OAuthManager {
     this.getTokenCallback = tokenCallbacks?.getProviderToken;
     this.setTokenCallback = tokenCallbacks?.setProviderToken;
     this.removeTokenCallback = tokenCallbacks?.removeProviderToken;
+    this.providerOAuth = refreshConfig?.providers ?? {};
+    this.mcpServerUrl = refreshConfig?.mcpServerUrl;
+    this.mcpApiKey = refreshConfig?.apiKey;
     this.indexedDBStorage = new IndexedDBStorage;
     this.cleanupExpiredPendingAuths();
   }
@@ -3512,7 +3823,9 @@ class OAuthManager {
       try {
         const tokenData = await this.getTokenCallback(provider, email, context);
         if (tokenData) {
-          this.providerTokens.set(provider, tokenData);
+          const refreshed = await this.maybeRefreshTokenData(provider, tokenData, context);
+          this.providerTokens.set(provider, refreshed);
+          return refreshed;
         }
         return tokenData;
       } catch (error) {
@@ -3552,6 +3865,59 @@ class OAuthManager {
     }
     await this.saveProviderToken(provider, tokenData, tokenEmail, context);
   }
+  configureTokenRefresh(refreshConfig) {
+    if (refreshConfig.providers) {
+      this.providerOAuth = refreshConfig.providers;
+    }
+    if (refreshConfig.mcpServerUrl !== undefined) {
+      this.mcpServerUrl = refreshConfig.mcpServerUrl;
+    }
+    if (refreshConfig.apiKey !== undefined) {
+      this.mcpApiKey = refreshConfig.apiKey;
+    }
+  }
+  async maybeRefreshTokenData(provider, tokenData, context) {
+    const credentials = this.providerOAuth[provider];
+    const serverUrl = this.mcpServerUrl;
+    if (!credentials || !serverUrl) {
+      return tokenData;
+    }
+    if (!shouldRefreshToken(tokenData)) {
+      return tokenData;
+    }
+    try {
+      const newAccessToken = await resolveAccessToken({
+        provider,
+        currentTokens: tokenData,
+        providerOAuth: {
+          clientId: credentials.clientId,
+          clientSecret: credentials.clientSecret,
+          subdomain: credentials.config?.subdomain
+        },
+        serverUrl,
+        apiKey: this.mcpApiKey,
+        setProviderToken: this.setTokenCallback,
+        context
+      });
+      if (newAccessToken === tokenData.accessToken) {
+        return tokenData;
+      }
+      if (this.getTokenCallback) {
+        try {
+          const reloaded = await this.getTokenCallback(provider, tokenData.email, context);
+          if (reloaded) {
+            return reloaded;
+          }
+        } catch {}
+      }
+      return { ...tokenData, accessToken: newAccessToken };
+    } catch (err) {
+      if (err instanceof RefreshRejectedError) {
+        throw err;
+      }
+      return tokenData;
+    }
+  }
   clearProviderToken(provider) {
     this.providerTokens.delete(provider);
     if (!this.setTokenCallback && !this.removeTokenCallback && !this.skipLocalStorage) {
@@ -4008,10 +4374,26 @@ class MCPClientBase {
     };
     this.onReauthRequired = config.onReauthRequired;
     this.maxReauthRetries = config.maxReauthRetries ?? 1;
+    const refreshProviders = {};
+    for (const integration of this.integrations) {
+      const oauth = integration?.oauth;
+      if (oauth?.clientId && oauth?.provider) {
+        refreshProviders[oauth.provider] = {
+          clientId: oauth.clientId,
+          clientSecret: oauth.clientSecret,
+          config: oauth.config
+        };
+      }
+    }
+    const mcpServerUrl = config.serverUrl;
     this.oauthManager = new OAuthManager(oauthApiBase, config.oauthFlow, this.apiBaseUrl, {
       getProviderToken: config.getProviderToken,
       setProviderToken: config.setProviderToken,
       removeProviderToken: config.removeProviderToken
+    }, {
+      providers: refreshProviders,
+      mcpServerUrl,
+      apiKey: config.apiKey
     });
     this.setSessionToken(config.sessionToken || this.loadSessionTokenFromStorage());
     for (const integration of this.integrations) {
@@ -15978,6 +16360,34 @@ function convertJsonSchemaToGoogleSchema(jsonSchema, TypeEnum) {
 // src/server.ts
 var SERVER_LOG_CONTEXT3 = "server";
 var logger93 = createLogger("MCPServer", SERVER_LOG_CONTEXT3);
+async function refreshTokenIfNeeded(provider, tokenData, providers, config, context) {
+  const credentials = providers[provider];
+  if (!credentials || !config.serverUrl) {
+    return tokenData.accessToken;
+  }
+  try {
+    return await resolveAccessToken({
+      provider,
+      currentTokens: tokenData,
+      providerOAuth: {
+        clientId: credentials.clientId,
+        clientSecret: credentials.clientSecret,
+        subdomain: credentials.config?.subdomain
+      },
+      serverUrl: config.serverUrl,
+      apiKey: config.apiKey,
+      setProviderToken: config.setProviderToken,
+      context
+    });
+  } catch (err) {
+    if (err instanceof RefreshRejectedError) {
+      logger93.warn(`[Token Refresh] Refresh token rejected for ${provider}; integration marked disconnected.`);
+    } else {
+      logger93.warn(`[Token Refresh] Failed to refresh ${provider} token: ${err.message}`);
+    }
+    return tokenData.accessToken;
+  }
+}
 var globalServerConfig = null;
 var globalMCPHandler = null;
 var codeVerifierStorage = new Map;
@@ -16229,7 +16639,8 @@ function createMCPServer(config) {
             if (provider) {
               const tokenData = await config.getProviderToken(provider, undefined, context2);
               if (tokenData?.accessToken) {
-                authHeader = `Bearer ${tokenData.accessToken}`;
+                const accessToken = await refreshTokenIfNeeded(provider, tokenData, providers, config, context2);
+                authHeader = `Bearer ${accessToken}`;
               }
             }
           } catch {}