npm - poe-code - Versions diffs - 3.0.292 → 3.0.294 - Mend

poe-code 3.0.292 → 3.0.294

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js +60 -15
package/dist/index.js.map +3 -3
package/dist/metafile.json +1 -1
package/package.json +1 -1
package/packages/opencode-poe-auth/dist/poe-auth-plugin.js +32 -5
package/packages/poe-oauth/dist/check-auth.js +10 -6
package/packages/poe-oauth/dist/loopback-authorization.js +33 -16
package/packages/poe-oauth/dist/oauth-client.js +35 -17

package/dist/index.js CHANGED Viewed

@@ -63528,19 +63528,23 @@ function isCurrentBalanceResponse(value) {
   const data = value;
   const email = getOwnString3(data, "email");
   const balance = getOwnEntry21(data, "current_point_balance");
-  const hasEmail = email !== void 0 && email.length > 0;
+  const hasEmail = email !== void 0;
   const hasBalance = balance !== void 0;
   if (!hasEmail && !hasBalance) {
     return false;
   }
-  return balance === void 0 || balance === null || typeof balance === "number" && Number.isFinite(balance);
+  return balance === void 0 || balance === null || typeof balance === "number" && Number.isFinite(balance) && balance >= 0;
 }
 function getOwnEntry21(record, key2) {
   return Object.prototype.hasOwnProperty.call(record, key2) ? record[key2] : void 0;
 }
 function getOwnString3(record, key2) {
   const value = getOwnEntry21(record, key2);
-  return typeof value === "string" && value.length > 0 ? value : void 0;
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
 }
 function getOwnNumber(record, key2) {
   const value = getOwnEntry21(record, key2);
@@ -63652,6 +63656,21 @@ function waitForAuthorizationCode2(server, authorizationUrl, options, callbackPa
       }
       const error3 = url.searchParams.get("error");
       if (error3 !== null) {
+        try {
+          validateAuthorizationCallbackBinding2(
+            {
+              state: url.searchParams.get("state"),
+              iss: url.searchParams.get("iss")
+            },
+            expectedAuthorization
+          );
+        } catch (validationError) {
+          res.writeHead(400);
+          res.end(
+            validationError instanceof Error ? validationError.message : "Invalid OAuth callback"
+          );
+          return;
+        }
         const description = url.searchParams.get("error_description") ?? error3;
         res.writeHead(400);
         res.end(`Authorization failed: ${description}`);
@@ -63659,11 +63678,14 @@ function waitForAuthorizationCode2(server, authorizationUrl, options, callbackPa
         return;
       }
       try {
-        const code = validateAuthorizationCallbackParameters2({
-          code: url.searchParams.get("code"),
-          state: url.searchParams.get("state"),
-          iss: url.searchParams.get("iss")
-        }, expectedAuthorization);
+        const code = validateAuthorizationCallbackParameters2(
+          {
+            code: url.searchParams.get("code"),
+            state: url.searchParams.get("state"),
+            iss: url.searchParams.get("iss")
+          },
+          expectedAuthorization
+        );
         res.writeHead(200, { "Content-Type": "text/html" });
         res.end(buildSuccessPage2(options.landingPage));
         settle(() => resolve11(code));
@@ -63734,6 +63756,10 @@ function validateAuthorizationCallbackParameters2(callback, expected) {
   if (callback.code === null || callback.code.length === 0) {
     throw new Error("OAuth callback missing authorization code");
   }
+  validateAuthorizationCallbackBinding2(callback, expected);
+  return callback.code;
+}
+function validateAuthorizationCallbackBinding2(callback, expected) {
   if (expected.state !== null) {
     if (callback.state === null || callback.state.length === 0) {
       throw new Error("OAuth callback missing state");
@@ -63750,7 +63776,6 @@ function validateAuthorizationCallbackParameters2(callback, expected) {
   if (callback.iss !== null && callback.iss.length > 0 && expected.issuer !== null && callback.iss !== expected.issuer) {
     throw new Error("OAuth callback issuer mismatch");
   }
-  return callback.code;
 }
 function escapeHtml3(text5) {
   return text5.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;");
@@ -63792,8 +63817,13 @@ var init_pkce2 = __esm({
 // packages/poe-oauth/src/oauth-client.ts
 function createOAuthClient(config2) {
   const fetchFn = config2.fetch ?? globalThis.fetch;
+  const clientId = validateClientId(config2.clientId);
+  const normalizedConfig = {
+    ...config2,
+    clientId
+  };
   return {
-    authorize: () => startAuthorization(config2, fetchFn)
+    authorize: () => startAuthorization(normalizedConfig, fetchFn)
   };
 }
 function generateCodeVerifier3() {
@@ -63886,12 +63916,12 @@ async function exchangeCodeForApiKey(params) {
     throw new Error("Token response must be a JSON object");
   }
   const data = value;
-  const apiKey = getOwnString4(data, "api_key");
+  const apiKey = getOwnString4(data, "api_key")?.trim();
   const apiKeyExpiresIn = getOwnEntry23(data, "api_key_expires_in");
-  if (apiKey === void 0 || apiKey.trim().length === 0) {
+  if (apiKey === void 0 || apiKey.length === 0) {
     throw new Error("Token response missing api_key field");
   }
-  if (apiKeyExpiresIn !== void 0 && (typeof apiKeyExpiresIn !== "number" || !Number.isFinite(apiKeyExpiresIn) || apiKeyExpiresIn < 0)) {
+  if (apiKeyExpiresIn !== void 0 && !isValidExpiresIn(apiKeyExpiresIn)) {
     throw new Error("Token response invalid api_key_expires_in field");
   }
   return {
@@ -63927,7 +63957,21 @@ function getOwnString4(record, key2) {
   const value = getOwnEntry23(record, key2);
   return typeof value === "string" ? value : void 0;
 }
-var DEFAULT_AUTHORIZATION_ENDPOINT, DEFAULT_TOKEN_ENDPOINT;
+function validateClientId(clientId) {
+  const trimmed = clientId.trim();
+  if (trimmed.length === 0 || trimmed !== clientId) {
+    throw new Error("Poe OAuth clientId must not be blank or contain surrounding whitespace.");
+  }
+  return clientId;
+}
+function isValidExpiresIn(value) {
+  if (typeof value !== "number" || !Number.isFinite(value) || !Number.isInteger(value) || value < 0) {
+    return false;
+  }
+  const expiresAt = Date.now() + value * 1e3;
+  return Number.isSafeInteger(expiresAt) && expiresAt <= MAX_VALID_EPOCH_MS;
+}
+var DEFAULT_AUTHORIZATION_ENDPOINT, DEFAULT_TOKEN_ENDPOINT, MAX_VALID_EPOCH_MS;
 var init_oauth_client = __esm({
   "packages/poe-oauth/src/oauth-client.ts"() {
     "use strict";
@@ -63936,6 +63980,7 @@ var init_oauth_client = __esm({
     init_pkce2();
     DEFAULT_AUTHORIZATION_ENDPOINT = "https://poe.com/oauth/authorize";
     DEFAULT_TOKEN_ENDPOINT = "https://api.poe.com/token";
+    MAX_VALID_EPOCH_MS = 864e13;
   }
 });
@@ -136735,7 +136780,7 @@ var init_package2 = __esm({
   "package.json"() {
     package_default2 = {
       name: "poe-code",
-      version: "3.0.292",
+      version: "3.0.294",
       description: "CLI tool to configure Poe API for developer workflows.",
       type: "module",
       main: "./dist/index.js",