vercel 41.7.8 → 42.1.0

package/dist/index.js

@@ -60305,8 +60305,254 @@ var init_promise = __esm({
   }
 });
 
+// src/util/oauth.ts
+async function as() {
+  if (!_as) {
+    const discoveryResponse = await discoveryEndpointRequest(VERCEL_ISSUER);
+    const [discoveryResponseError, as2] = await processDiscoveryEndpointResponse(discoveryResponse);
+    if (discoveryResponseError) {
+      throw discoveryResponseError;
+    }
+    _as = as2;
+  }
+  return _as;
+}
+async function discoveryEndpointRequest(issuer) {
+  return await (0, import_node_fetch.default)(new URL(".well-known/openid-configuration", issuer), {
+    headers: { "Content-Type": "application/json", "user-agent": userAgent }
+  });
+}
+async function processDiscoveryEndpointResponse(response) {
+  const json = await response.json();
+  if (!response.ok) {
+    return [new Error("Discovery endpoint request failed")];
+  }
+  if (typeof json !== "object" || json === null || !canParseURL(json.issuer) || !canParseURL(json.device_authorization_endpoint) || !canParseURL(json.token_endpoint) || !canParseURL(json.revocation_endpoint) || !canParseURL(json.jwks_uri)) {
+    return [new TypeError("Invalid discovery response")];
+  }
+  const issuer = new URL(json.issuer);
+  if (issuer.href !== VERCEL_ISSUER.href) {
+    return [new Error("Issuer mismatch")];
+  }
+  return [
+    null,
+    {
+      issuer,
+      device_authorization_endpoint: new URL(
+        json.device_authorization_endpoint
+      ),
+      token_endpoint: new URL(json.token_endpoint),
+      revocation_endpoint: new URL(json.revocation_endpoint),
+      jwks_uri: new URL(json.jwks_uri)
+    }
+  ];
+}
+async function deviceAuthorizationRequest() {
+  return await (0, import_node_fetch.default)((await as()).device_authorization_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "user-agent": userAgent
+    },
+    body: new URLSearchParams({
+      client_id: VERCEL_CLI_CLIENT_ID,
+      scope: "openid offline_access"
+    })
+  });
+}
+async function processDeviceAuthorizationResponse(response) {
+  const json = await response.json();
+  if (!response.ok) {
+    return [new OAuthError("Device authorization request failed", json)];
+  }
+  if (typeof json !== "object" || json === null)
+    return [new TypeError("Expected response to be an object")];
+  if (!("device_code" in json) || typeof json.device_code !== "string")
+    return [new TypeError("Expected `device_code` to be a string")];
+  if (!("user_code" in json) || typeof json.user_code !== "string")
+    return [new TypeError("Expected `user_code` to be a string")];
+  if (!("verification_uri" in json) || typeof json.verification_uri !== "string" || !canParseURL(json.verification_uri)) {
+    return [new TypeError("Expected `verification_uri` to be a string")];
+  }
+  if (!("verification_uri_complete" in json) || typeof json.verification_uri_complete !== "string" || !canParseURL(json.verification_uri_complete)) {
+    return [
+      new TypeError("Expected `verification_uri_complete` to be a string")
+    ];
+  }
+  if (!("expires_in" in json) || typeof json.expires_in !== "number")
+    return [new TypeError("Expected `expires_in` to be a number")];
+  if (!("interval" in json) || typeof json.interval !== "number")
+    return [new TypeError("Expected `interval` to be a number")];
+  return [
+    null,
+    {
+      device_code: json.device_code,
+      user_code: json.user_code,
+      verification_uri: json.verification_uri,
+      verification_uri_complete: json.verification_uri_complete,
+      expiresAt: Date.now() + json.expires_in * 1e3,
+      interval: json.interval
+    }
+  ];
+}
+async function deviceAccessTokenRequest(options) {
+  try {
+    return [
+      null,
+      await (0, import_node_fetch.default)((await as()).token_endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "user-agent": userAgent
+        },
+        body: new URLSearchParams({
+          client_id: VERCEL_CLI_CLIENT_ID,
+          grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+          ...options
+        }),
+        // TODO: Drop `node-fetch` and just use `signal`
+        timeout: 10 * 1e3,
+        // @ts-expect-error: Signal is part of `fetch` spec, should drop `node-fetch`
+        signal: AbortSignal.timeout(10 * 1e3)
+      })
+    ];
+  } catch (error3) {
+    if (error3 instanceof Error)
+      return [error3];
+    return [
+      new Error("An unknown error occurred. See the logs for details.", {
+        cause: error3
+      })
+    ];
+  }
+}
+async function processTokenResponse(response) {
+  const json = await response.json();
+  if (!response.ok) {
+    return [new OAuthError("Device access token request failed", json)];
+  }
+  if (typeof json !== "object" || json === null)
+    return [new TypeError("Expected response to be an object")];
+  if (!("access_token" in json) || typeof json.access_token !== "string")
+    return [new TypeError("Expected `access_token` to be a string")];
+  if (!("token_type" in json) || json.token_type !== "Bearer")
+    return [new TypeError('Expected `token_type` to be "Bearer"')];
+  if (!("expires_in" in json) || typeof json.expires_in !== "number")
+    return [new TypeError("Expected `expires_in` to be a number")];
+  if ("refresh_token" in json && (typeof json.refresh_token !== "string" || !json.refresh_token))
+    return [new TypeError("Expected `refresh_token` to be a string")];
+  if ("scope" in json && typeof json.scope !== "string")
+    return [new TypeError("Expected `scope` to be a string")];
+  return [null, json];
+}
+async function revocationRequest(options) {
+  return await (0, import_node_fetch.default)((await as()).revocation_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "user-agent": userAgent
+    },
+    body: new URLSearchParams({ ...options, client_id: VERCEL_CLI_CLIENT_ID })
+  });
+}
+async function processRevocationResponse(response) {
+  if (response.ok)
+    return [null, null];
+  const json = await response.json();
+  return [new OAuthError("Revocation request failed", json)];
+}
+async function refreshTokenRequest(options) {
+  return await (0, import_node_fetch.default)((await as()).token_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      "user-agent": ua_default
+    },
+    body: new URLSearchParams({
+      client_id: VERCEL_CLI_CLIENT_ID,
+      grant_type: "refresh_token",
+      ...options
+    })
+  });
+}
+function processOAuthErrorResponse(json) {
+  if (typeof json !== "object" || json === null)
+    return new TypeError("Expected response to be an object");
+  if (!("error" in json) || typeof json.error !== "string")
+    return new TypeError("Expected `error` to be a string");
+  if ("error_description" in json && typeof json.error_description !== "string")
+    return new TypeError("Expected `error_description` to be a string");
+  if ("error_uri" in json && typeof json.error_uri !== "string")
+    return new TypeError("Expected `error_uri` to be a string");
+  return json;
+}
+function isOAuthError(error3) {
+  return error3 instanceof OAuthError;
+}
+function canParseURL(url3) {
+  try {
+    return !!new URL(url3);
+  } catch {
+    return false;
+  }
+}
+function inspectToken(token) {
+  try {
+    return [null, (0, import_jose.decodeJwt)(token)];
+  } catch (cause) {
+    return [new InspectionError("Could not inspect token.", { cause })];
+  }
+}
+var import_node_fetch, import_jose, import_os5, VERCEL_ISSUER, VERCEL_CLI_CLIENT_ID, userAgent, _as, OAuthError, InspectionError;
+var init_oauth2 = __esm({
+  "src/util/oauth.ts"() {
+    "use strict";
+    import_node_fetch = __toESM3(require_lib7());
+    import_jose = require("jose");
+    init_ua();
+    import_os5 = require("os");
+    VERCEL_ISSUER = new URL("https://vercel.com");
+    VERCEL_CLI_CLIENT_ID = "cl_HYyOPBNtFMfHhaUn9L4QPfTZz6TP47bp";
+    userAgent = `${(0, import_os5.hostname)()} @ ${ua_default}`;
+    OAuthError = class extends Error {
+      constructor(message2, response) {
+        var __super = (...args) => {
+          super(...args);
+        };
+        const error3 = processOAuthErrorResponse(response);
+        if (error3 instanceof TypeError) {
+          const message3 = `Unexpected server response: ${JSON.stringify(response)}`;
+          __super(message3);
+          this.cause = new Error(message3, { cause: error3 });
+          this.code = "server_error";
+          return;
+        }
+        let cause = error3.error;
+        if (error3.error_description)
+          cause += `: ${error3.error_description}`;
+        if (error3.error_uri)
+          cause += ` (${error3.error_uri})`;
+        __super(message2, { cause });
+        this.cause = new Error(cause);
+        this.code = error3.error;
+      }
+    };
+    InspectionError = class extends Error {
+    };
+  }
+});
+
 // src/util/client.ts
-var import_chalk17, import_events, import_url8, import_async_retry, import_node_fetch, import_error_utils6, isSAMLError, isJSONObject, Client;
+function isOAuthAuth(authConfig) {
+  return authConfig.type === "oauth";
+}
+function isValidAccessToken(authConfig) {
+  return "token" in authConfig && (authConfig.expiresAt ?? 0) >= Date.now();
+}
+function hasRefreshToken(authConfig) {
+  return "refreshToken" in authConfig;
+}
+var import_chalk17, import_events, import_url8, import_async_retry, import_node_fetch2, import_error_utils6, isSAMLError, isJSONObject, Client;
 var init_client = __esm({
   "src/util/client.ts"() {
     "use strict";
@@ -60319,7 +60565,7 @@ var init_client = __esm({
     import_events = require("events");
     import_url8 = require("url");
     import_async_retry = __toESM3(require_dist5());
-    import_node_fetch = __toESM3(require_lib7());
+    import_node_fetch2 = __toESM3(require_lib7());
     init_ua();
     init_response_error();
     init_print_indications();
@@ -60330,6 +60576,7 @@ var init_client = __esm({
     import_error_utils6 = __toESM3(require_dist2());
     init_sleep();
     init_output_manager();
+    init_oauth2();
     isSAMLError = (v) => {
       return v && v.saml;
     };
@@ -60398,7 +60645,65 @@ ${error3.stack}`);
           onRetry: this._onRetry
         });
       }
-      _fetch(_url, opts = {}) {
+      /**
+       * When the auth config is of type `OAuthAuthConfig`,
+       * this method silently tries to refresh the access_token if it is expired.
+       *
+       * If the refresh_token is also expired, it will not attempt to refresh it.
+       * If there is any error during the refresh process, it will not throw an error.
+       */
+      async ensureAuthorized() {
+        if (!isOAuthAuth(this.authConfig))
+          return;
+        const { authConfig } = this;
+        if (isValidAccessToken(authConfig)) {
+          output_manager_default.debug("Valid access token, skipping token refresh.");
+          return;
+        }
+        if (!hasRefreshToken(authConfig)) {
+          output_manager_default.debug("No refresh token found, emptying auth config.");
+          this.emptyAuthConfig();
+          this.writeToAuthConfigFile();
+          return;
+        }
+        const tokenResponse = await refreshTokenRequest({
+          refresh_token: authConfig.refreshToken
+        });
+        const [tokensError, tokens] = await processTokenResponse(tokenResponse);
+        if (tokensError) {
+          output_manager_default.debug("Error refreshing token, emptying auth config.");
+          this.emptyAuthConfig();
+          this.writeToAuthConfigFile();
+          return;
+        }
+        this.updateAuthConfig({
+          type: "oauth",
+          token: tokens.access_token,
+          expiresAt: Math.floor(Date.now() / 1e3) + tokens.expires_in
+        });
+        if (tokens.refresh_token) {
+          this.updateAuthConfig({ refreshToken: tokens.refresh_token });
+        }
+        this.writeToAuthConfigFile();
+        this.writeToConfigFile();
+        output_manager_default.debug("Tokens refreshed successfully.");
+      }
+      updateConfig(config2) {
+        this.config = { ...this.config, ...config2 };
+      }
+      writeToConfigFile() {
+        writeToConfigFile(this.config);
+      }
+      updateAuthConfig(authConfig) {
+        this.authConfig = { ...this.authConfig, ...authConfig };
+      }
+      emptyAuthConfig() {
+        this.authConfig = {};
+      }
+      writeToAuthConfigFile() {
+        writeToAuthConfigFile(this.authConfig);
+      }
+      async _fetch(_url, opts = {}) {
         const url3 = new import_url8.URL(_url, this.apiUrl);
         if (opts.accountId || opts.useCurrentTeam !== false) {
           if (opts.accountId) {
@@ -60411,8 +60716,9 @@ ${error3.stack}`);
             url3.searchParams.set("teamId", this.config.currentTeam);
           }
         }
-        const headers = new import_node_fetch.Headers(opts.headers);
+        const headers = new import_node_fetch2.Headers(opts.headers);
         headers.set("user-agent", ua_default);
+        await this.ensureAuthorized();
         if (this.authConfig.token) {
           headers.set("authorization", `Bearer ${this.authConfig.token}`);
         }
@@ -60432,7 +60738,7 @@ ${error3.stack}`);
               return `#${requestId} \u2192 ${opts.method || "GET"} ${url3.href}`;
             }
           },
-          (0, import_node_fetch.default)(url3, { agent: this.agent, ...opts, headers, body })
+          (0, import_node_fetch2.default)(url3, { agent: this.agent, ...opts, headers, body })
         );
       }
       fetch(url3, opts = {}) {
@@ -126659,7 +126965,7 @@ async function addToGitIgnore(path11, ignore = VERCEL_DIR2) {
   try {
     const gitIgnorePath = (0, import_path12.join)(path11, ".gitignore");
     let gitIgnore = await (0, import_fs_extra5.readFile)(gitIgnorePath, "utf8").catch(() => null) ?? "";
-    const EOL = gitIgnore.includes("\r\n") ? "\r\n" : import_os5.default.EOL;
+    const EOL = gitIgnore.includes("\r\n") ? "\r\n" : import_os6.default.EOL;
     let contentModified = false;
     if (!gitIgnore.split(EOL).includes(ignore)) {
       gitIgnore += `${gitIgnore.endsWith(EOL) || gitIgnore.length === 0 ? "" : EOL}${ignore}${EOL}`;
@@ -126673,11 +126979,11 @@ async function addToGitIgnore(path11, ignore = VERCEL_DIR2) {
   }
   return isGitIgnoreUpdated;
 }
-var import_os5, import_path12, import_fs_extra5;
+var import_os6, import_path12, import_fs_extra5;
 var init_add_to_gitignore = __esm({
   "src/util/link/add-to-gitignore.ts"() {
     "use strict";
-    import_os5 = __toESM3(require("os"));
+    import_os6 = __toESM3(require("os"));
     import_path12 = require("path");
     import_fs_extra5 = __toESM3(require_lib());
     init_link2();
@@ -127164,14 +127470,14 @@ function findProjectsFromPath(projects, path11) {
   const firstMatch = matches[0];
   return matches.filter((match) => match.directory === firstMatch.directory);
 }
-var import_chalk35, import_pluralize3, import_os6, import_slugify, import_path14, import_build_utils5, import_fs_extra6, home;
+var import_chalk35, import_pluralize3, import_os7, import_slugify, import_path14, import_build_utils5, import_fs_extra6, home;
 var init_repo = __esm({
   "src/util/link/repo.ts"() {
     "use strict";
     import_chalk35 = __toESM3(require_source());
     init_esm4();
     import_pluralize3 = __toESM3(require_pluralize());
-    import_os6 = require("os");
+    import_os7 = require("os");
     import_slugify = __toESM3(require_slugify());
     import_path14 = require("path");
     import_build_utils5 = require("@vercel/build-utils");
@@ -127189,7 +127495,7 @@ var init_repo = __esm({
     init_connect_git_provider();
     init_git_helpers();
     init_output_manager();
-    home = (0, import_os6.homedir)();
+    home = (0, import_os7.homedir)();
   }
 });
 
@@ -139605,7 +139911,7 @@ async function pullEnvRecords(client2, projectId, source, { target, gitBranch }
     `Fetching Environment Variables of project ${projectId} and target ${target}`
   );
   const query = new import_url12.URLSearchParams();
-  let url3 = `/v2/env/pull/${projectId}`;
+  let url3 = `/v3/env/pull/${projectId}`;
   if (target) {
     url3 += `/${encodeURIComponent(target)}`;
     if (gitBranch) {
@@ -140089,7 +140395,7 @@ async function validatePaths(client2, paths) {
     });
     return { valid: false, exitCode: 1 };
   }
-  if (path11 === (0, import_os7.homedir)()) {
+  if (path11 === (0, import_os8.homedir)()) {
     const shouldDeployHomeDirectory = await client2.input.confirm(
       `You are deploying your home directory. Do you want to continue?`,
       false
@@ -140102,13 +140408,13 @@ async function validatePaths(client2, paths) {
   }
   return { valid: true, path: path11 };
 }
-var import_fs_extra16, import_chalk41, import_os7;
+var import_fs_extra16, import_chalk41, import_os8;
 var init_validate_paths = __esm({
   "src/util/validate-paths.ts"() {
     "use strict";
     import_fs_extra16 = __toESM3(require_lib());
     import_chalk41 = __toESM3(require_source());
-    import_os7 = require("os");
+    import_os8 = require("os");
     init_humanize_path();
     init_output_manager();
   }
@@ -140834,10 +141140,13 @@ async function main2(client2) {
     }
     process.env.VERCEL = "1";
     process.env.NOW_BUILDER = "1";
-    await rootSpan.child("vc.doBuild").trace(
-      (span) => doBuild(client2, project, buildsJson, cwd, outputDir, span)
-    );
-    await rootSpan.stop();
+    try {
+      await rootSpan.child("vc.doBuild").trace(
+        (span) => doBuild(client2, project, buildsJson, cwd, outputDir, span)
+      );
+    } finally {
+      await rootSpan.stop();
+    }
     return 0;
   } catch (err) {
     output_manager_default.prettyError(err);
@@ -145490,7 +145799,7 @@ var init_process_deployment = __esm({
 });
 
 // src/util/index.ts
-var import_querystring4, import_url15, import_async_retry5, import_ms10, import_node_fetch3, import_bytes4, import_chalk55, Now;
+var import_querystring4, import_url15, import_async_retry5, import_ms10, import_node_fetch4, import_bytes4, import_chalk55, Now;
 var init_util = __esm({
   "src/util/index.ts"() {
     "use strict";
@@ -145498,7 +145807,7 @@ var init_util = __esm({
     import_url15 = require("url");
     import_async_retry5 = __toESM3(require_dist5());
     import_ms10 = __toESM3(require_ms());
-    import_node_fetch3 = __toESM3(require_lib7());
+    import_node_fetch4 = __toESM3(require_lib7());
     import_bytes4 = __toESM3(require_bytes());
     import_chalk55 = __toESM3(require_source());
     init_ua();
@@ -145716,7 +146025,7 @@ ${err.stack}`);
           _url = `${parsedUrl.pathname}?${import_querystring4.default.stringify(query)}`;
           delete opts.useCurrentTeam;
         }
-        opts.headers = new import_node_fetch3.Headers(opts.headers);
+        opts.headers = new import_node_fetch4.Headers(opts.headers);
         opts.headers.set("accept", "application/json");
         if (this._token) {
           opts.headers.set("authorization", `Bearer ${this._token}`);
@@ -145731,7 +146040,7 @@ ${err.stack}`);
         }
         const res = await output_manager_default.time(
           `${opts.method || "GET"} ${this._apiUrl}${_url} ${opts.body || ""}`,
-          (0, import_node_fetch3.default)(`${this._apiUrl}${_url}`, { ...opts, body })
+          (0, import_node_fetch4.default)(`${this._apiUrl}${_url}`, { ...opts, body })
         );
         printIndications(res);
         return res;
@@ -164189,7 +164498,7 @@ var init_redirect = __esm({
 
 // src/util/dev/headers.ts
 function nodeHeadersToFetchHeaders(nodeHeaders) {
-  const headers = new import_node_fetch4.Headers();
+  const headers = new import_node_fetch5.Headers();
   for (const [name, value] of Object.entries(nodeHeaders)) {
     if (Array.isArray(value)) {
       for (const val of value) {
@@ -164233,11 +164542,11 @@ function applyOverriddenHeaders(reqHeaders, respHeaders) {
     respHeaders.delete(valueKey);
   }
 }
-var import_node_fetch4, NONOVERRIDABLE_HEADERS;
+var import_node_fetch5, NONOVERRIDABLE_HEADERS;
 var init_headers = __esm({
   "src/util/dev/headers.ts"() {
     "use strict";
-    import_node_fetch4 = __toESM3(require_lib7());
+    import_node_fetch5 = __toESM3(require_lib7());
     NONOVERRIDABLE_HEADERS = /* @__PURE__ */ new Set([
       "host",
       "connection",
@@ -164523,7 +164832,7 @@ function buildMatchEquals(a, b) {
     return false;
   return true;
 }
-var import_url18, import_http3, import_fs_extra21, import_ms13, import_chalk58, import_node_fetch5, import_pluralize7, import_raw_body, import_async_listen3, import_minimatch4, import_http_proxy, import_crypto2, import_serve_handler, import_chokidar, import_dotenv2, import_path35, import_once, import_directory, import_get_port, import_is_port_reachable, import_fast_deep_equal, import_npm_package_arg2, import_json_parse_better_errors3, import_client12, import_routing_utils5, import_build_utils17, import_fs_detectors6, import_frameworks6, import_error_utils21, frontendRuntimeSet, DEV_SERVER_PORT_BIND_TIMEOUT, DevServer;
+var import_url18, import_http3, import_fs_extra21, import_ms13, import_chalk58, import_node_fetch6, import_pluralize7, import_raw_body, import_async_listen3, import_minimatch4, import_http_proxy, import_crypto2, import_serve_handler, import_chokidar, import_dotenv2, import_path35, import_once, import_directory, import_get_port, import_is_port_reachable, import_fast_deep_equal, import_npm_package_arg2, import_json_parse_better_errors3, import_client12, import_routing_utils5, import_build_utils17, import_fs_detectors6, import_frameworks6, import_error_utils21, frontendRuntimeSet, DEV_SERVER_PORT_BIND_TIMEOUT, DevServer;
 var init_server = __esm({
   "src/util/dev/server.ts"() {
     "use strict";
@@ -164532,7 +164841,7 @@ var init_server = __esm({
     import_fs_extra21 = __toESM3(require_lib());
     import_ms13 = __toESM3(require_ms());
     import_chalk58 = __toESM3(require_source());
-    import_node_fetch5 = __toESM3(require_lib7());
+    import_node_fetch6 = __toESM3(require_lib7());
     import_pluralize7 = __toESM3(require_pluralize());
     import_raw_body = __toESM3(require_raw_body());
     import_async_listen3 = __toESM3(require_dist6());
@@ -164728,7 +165037,7 @@ var init_server = __esm({
                 for (const [name, value] of nodeHeadersToFetchHeaders(proxyHeaders)) {
                   middlewareReqHeaders.set(name, value);
                 }
-                const middlewareRes = await (0, import_node_fetch5.default)(
+                const middlewareRes = await (0, import_node_fetch6.default)(
                   `http://127.0.0.1:${port}${parsed.path}`,
                   {
                     headers: middlewareReqHeaders,
@@ -166277,7 +166586,7 @@ async function* refreshOidcToken(signal, client2, projectId, envValues, source,
     const now = clock();
     let expiresAfterMillis;
     try {
-      const { exp } = (0, import_jose.decodeJwt)(oidcToken);
+      const { exp } = (0, import_jose2.decodeJwt)(oidcToken);
       expiresAfterMillis = exp !== void 0 ? exp * 1e3 - now : void 0;
     } catch (error3) {
     }
@@ -166341,12 +166650,12 @@ function clock() {
 function millisToSecs(millis) {
   return millis / 1e3;
 }
-var import_promises2, import_jose, import_ms14, import_perf_hooks, REFRESH_BEFORE_EXPIRY_MILLIS, THROTTLE_MILLIS;
+var import_promises2, import_jose2, import_ms14, import_perf_hooks, REFRESH_BEFORE_EXPIRY_MILLIS, THROTTLE_MILLIS;
 var init_refresh_oidc_token = __esm({
   "src/util/env/refresh-oidc-token.ts"() {
     "use strict";
     import_promises2 = require("timers/promises");
-    import_jose = require("jose");
+    import_jose2 = require("jose");
     import_ms14 = __toESM3(require_ms());
     import_perf_hooks = require("perf_hooks");
     init_output_manager();
@@ -166422,7 +166731,7 @@ async function dev(client2, opts, args2, telemetry2) {
       envValues,
       "vercel-cli:dev"
     )) {
-      output_manager_default.log(`Refreshing ${import_chalk59.default.green(VERCEL_OIDC_TOKEN)}`);
+      output_manager_default.debug(`Refreshing ${import_chalk59.default.green(VERCEL_OIDC_TOKEN)}`);
       envValues[VERCEL_OIDC_TOKEN] = token;
       await devServer.runDevCommand(true);
       telemetry2.trackOidcTokenRefresh(++refreshCount);
@@ -175589,234 +175898,6 @@ var init_login2 = __esm({
   }
 });
 
-// src/util/oauth.ts
-async function as() {
-  if (!_as) {
-    const discoveryResponse = await discoveryEndpointRequest(VERCEL_ISSUER);
-    const [discoveryResponseError, as2] = await processDiscoveryEndpointResponse(discoveryResponse);
-    if (discoveryResponseError) {
-      throw discoveryResponseError;
-    }
-    _as = as2;
-  }
-  return _as;
-}
-async function discoveryEndpointRequest(issuer) {
-  return await (0, import_node_fetch6.default)(new URL(".well-known/openid-configuration", issuer), {
-    headers: { "Content-Type": "application/json", "user-agent": userAgent }
-  });
-}
-async function processDiscoveryEndpointResponse(response) {
-  const json = await response.json();
-  if (!response.ok) {
-    return [new Error("Discovery endpoint request failed")];
-  }
-  if (typeof json !== "object" || json === null || !canParseURL(json.issuer) || !canParseURL(json.device_authorization_endpoint) || !canParseURL(json.token_endpoint) || !canParseURL(json.revocation_endpoint) || !canParseURL(json.jwks_uri)) {
-    return [new TypeError("Invalid discovery response")];
-  }
-  const issuer = new URL(json.issuer);
-  if (issuer.href !== VERCEL_ISSUER.href) {
-    return [new Error("Issuer mismatch")];
-  }
-  return [
-    null,
-    {
-      issuer,
-      device_authorization_endpoint: new URL(
-        json.device_authorization_endpoint
-      ),
-      token_endpoint: new URL(json.token_endpoint),
-      revocation_endpoint: new URL(json.revocation_endpoint),
-      jwks_uri: new URL(json.jwks_uri)
-    }
-  ];
-}
-async function deviceAuthorizationRequest() {
-  return await (0, import_node_fetch6.default)((await as()).device_authorization_endpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      "user-agent": userAgent
-    },
-    body: new URLSearchParams({
-      client_id: VERCEL_CLI_CLIENT_ID,
-      scope: "openid"
-    })
-  });
-}
-async function processDeviceAuthorizationResponse(response) {
-  const json = await response.json();
-  if (!response.ok) {
-    return [new OAuthError("Device authorization request failed", json)];
-  }
-  if (typeof json !== "object" || json === null)
-    return [new TypeError("Expected response to be an object")];
-  if (!("device_code" in json) || typeof json.device_code !== "string")
-    return [new TypeError("Expected `device_code` to be a string")];
-  if (!("user_code" in json) || typeof json.user_code !== "string")
-    return [new TypeError("Expected `user_code` to be a string")];
-  if (!("verification_uri" in json) || typeof json.verification_uri !== "string" || !canParseURL(json.verification_uri)) {
-    return [new TypeError("Expected `verification_uri` to be a string")];
-  }
-  if (!("verification_uri_complete" in json) || typeof json.verification_uri_complete !== "string" || !canParseURL(json.verification_uri_complete)) {
-    return [
-      new TypeError("Expected `verification_uri_complete` to be a string")
-    ];
-  }
-  if (!("expires_in" in json) || typeof json.expires_in !== "number")
-    return [new TypeError("Expected `expires_in` to be a number")];
-  if (!("interval" in json) || typeof json.interval !== "number")
-    return [new TypeError("Expected `interval` to be a number")];
-  return [
-    null,
-    {
-      device_code: json.device_code,
-      user_code: json.user_code,
-      verification_uri: json.verification_uri,
-      verification_uri_complete: json.verification_uri_complete,
-      expiresAt: Date.now() + json.expires_in * 1e3,
-      interval: json.interval
-    }
-  ];
-}
-async function deviceAccessTokenRequest(options) {
-  try {
-    return [
-      null,
-      await (0, import_node_fetch6.default)((await as()).token_endpoint, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-          "user-agent": userAgent
-        },
-        body: new URLSearchParams({
-          client_id: VERCEL_CLI_CLIENT_ID,
-          grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-          ...options
-        }),
-        // TODO: Drop `node-fetch` and just use `signal`
-        timeout: 10 * 1e3,
-        // @ts-expect-error: Signal is part of `fetch` spec, should drop `node-fetch`
-        signal: AbortSignal.timeout(10 * 1e3)
-      })
-    ];
-  } catch (error3) {
-    if (error3 instanceof Error)
-      return [error3];
-    return [
-      new Error("An unknown error occurred. See the logs for details.", {
-        cause: error3
-      })
-    ];
-  }
-}
-async function processDeviceAccessTokenResponse(response) {
-  const json = await response.json();
-  if (!response.ok) {
-    return [new OAuthError("Device access token request failed", json)];
-  }
-  if (typeof json !== "object" || json === null)
-    return [new TypeError("Expected response to be an object")];
-  if (!("access_token" in json) || typeof json.access_token !== "string")
-    return [new TypeError("Expected `access_token` to be a string")];
-  if (!("token_type" in json) || json.token_type !== "Bearer")
-    return [new TypeError('Expected `token_type` to be "Bearer"')];
-  if (!("expires_in" in json) || typeof json.expires_in !== "number")
-    return [new TypeError("Expected `expires_in` to be a number")];
-  if ("refresh_token" in json && (typeof json.refresh_token !== "string" || !json.refresh_token))
-    return [new TypeError("Expected `refresh_token` to be a string")];
-  if ("scope" in json && typeof json.scope !== "string")
-    return [new TypeError("Expected `scope` to be a string")];
-  return [null, json];
-}
-async function revocationRequest(options) {
-  return await (0, import_node_fetch6.default)((await as()).revocation_endpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      "user-agent": userAgent
-    },
-    body: new URLSearchParams({ ...options, client_id: VERCEL_CLI_CLIENT_ID })
-  });
-}
-async function processRevocationResponse(response) {
-  if (response.ok)
-    return [null, null];
-  const json = await response.json();
-  return [new OAuthError("Revocation request failed", json)];
-}
-function processOAuthErrorResponse(json) {
-  if (typeof json !== "object" || json === null)
-    return new TypeError("Expected response to be an object");
-  if (!("error" in json) || typeof json.error !== "string")
-    return new TypeError("Expected `error` to be a string");
-  if ("error_description" in json && typeof json.error_description !== "string")
-    return new TypeError("Expected `error_description` to be a string");
-  if ("error_uri" in json && typeof json.error_uri !== "string")
-    return new TypeError("Expected `error_uri` to be a string");
-  return json;
-}
-function isOAuthError(error3) {
-  return error3 instanceof OAuthError;
-}
-function canParseURL(url3) {
-  try {
-    return !!new URL(url3);
-  } catch {
-    return false;
-  }
-}
-async function verifyJWT(token) {
-  try {
-    const JWKS = (0, import_jose2.createRemoteJWKSet)((await as()).jwks_uri);
-    const { payload } = await (0, import_jose2.jwtVerify)(token, JWKS, {
-      issuer: "https://vercel.com",
-      audience: ["https://api.vercel.com", "https://vercel.com/api"]
-    });
-    return [null, payload];
-  } catch (error3) {
-    if (error3 instanceof Error)
-      return [error3];
-    return [new Error("Could not verify JWT.", { cause: error3 })];
-  }
-}
-var import_node_fetch6, import_jose2, import_os8, VERCEL_ISSUER, VERCEL_CLI_CLIENT_ID, userAgent, _as, OAuthError;
-var init_oauth2 = __esm({
-  "src/util/oauth.ts"() {
-    "use strict";
-    import_node_fetch6 = __toESM3(require_lib7());
-    import_jose2 = require("jose");
-    init_ua();
-    import_os8 = require("os");
-    VERCEL_ISSUER = new URL("https://vercel.com");
-    VERCEL_CLI_CLIENT_ID = "cl_HYyOPBNtFMfHhaUn9L4QPfTZz6TP47bp";
-    userAgent = `${(0, import_os8.hostname)()} @ ${ua_default}`;
-    OAuthError = class extends Error {
-      constructor(message2, response) {
-        var __super = (...args) => {
-          super(...args);
-        };
-        const error3 = processOAuthErrorResponse(response);
-        if (error3 instanceof TypeError) {
-          const message3 = `Unexpected server response: ${JSON.stringify(response)}`;
-          __super(message3);
-          this.cause = new Error(message3, { cause: error3 });
-          this.code = "server_error";
-          return;
-        }
-        let cause = error3.error;
-        if (error3.error_description)
-          cause += `: ${error3.error_description}`;
-        if (error3.error_uri)
-          cause += ` (${error3.error_uri})`;
-        __super(message2, { cause });
-        this.cause = new Error(cause);
-        this.code = error3.error;
-      }
-    };
-  }
-});
-
 // src/commands/login/future.ts
 async function login2(client2) {
   const deviceAuthorizationResponse = await deviceAuthorizationRequest();
@@ -175880,9 +175961,9 @@ async function login2(client2) {
       output_manager_default.debug(
         `'Device Access Token response:', ${await tokenResponse.clone().text()}`
       );
-      const [tokenError, token] = await processDeviceAccessTokenResponse(tokenResponse);
-      if (isOAuthError(tokenError)) {
-        const { code: code2 } = tokenError;
+      const [tokensError, tokens] = await processTokenResponse(tokenResponse);
+      if (isOAuthError(tokensError)) {
+        const { code: code2 } = tokensError;
         switch (code2) {
           case "authorization_pending":
             continue;
@@ -175893,34 +175974,36 @@ async function login2(client2) {
             );
             continue;
           default:
-            return tokenError.cause;
+            return tokensError.cause;
         }
       }
-      if (tokenError)
-        return tokenError;
+      if (tokensError)
+        return tokensError;
+      error3 = void 0;
       output_manager_default.print((0, import_ansi_escapes6.eraseLines)(2));
       const isInitialLogin = !client2.authConfig.token;
-      client2.authConfig.token = token.access_token;
-      error3 = void 0;
-      const [accessTokenError, accessToken] = await verifyJWT(
-        token.access_token
-      );
-      if (accessTokenError) {
-        return accessTokenError;
-      }
-      output_manager_default.debug("access_token verified");
-      if (accessToken.team_id) {
+      const [inspectError, payload] = inspectToken(tokens.access_token);
+      if (inspectError)
+        return inspectError;
+      output_manager_default.debug("access_token inspected");
+      client2.updateAuthConfig({
+        token: tokens.access_token,
+        type: "oauth",
+        expiresAt: Math.floor(Date.now() / 1e3) + tokens.expires_in
+      });
+      if (payload.team_id)
         output_manager_default.debug("Current team updated");
-        client2.config.currentTeam = accessToken.team_id;
-      } else {
+      else
         output_manager_default.debug("Current team deleted");
-        delete client2.config.currentTeam;
+      client2.updateConfig({ currentTeam: payload.team_id });
+      if (tokens.refresh_token) {
+        client2.updateAuthConfig({ refreshToken: tokens.refresh_token });
       }
       if (isInitialLogin) {
         await updateCurrentTeamAfterLogin(client2, client2.config.currentTeam);
       }
-      writeToAuthConfigFile(client2.authConfig);
-      writeToConfigFile(client2.config);
+      client2.writeToAuthConfigFile();
+      client2.writeToConfigFile();
       output_manager_default.debug(`Saved credentials in "${humanizePath(global_path_default())}"`);
       output_manager_default.print(`
   ${import_chalk101.default.cyan("Congratulations!")} You are now signed in.
@@ -175951,7 +176034,6 @@ var init_future = __esm({
     import_ansi_escapes6 = __toESM3(require_ansi_escapes());
     init_error2();
     init_update_current_team_after_login();
-    init_files();
     init_global_path();
     init_pkg_name();
     init_emoji();
@@ -176081,7 +176163,7 @@ var init_logout = __esm({
 
 // src/commands/logout/future.ts
 async function logout(client2) {
-  const { config: config2, authConfig } = client2;
+  const { authConfig } = client2;
   if (!authConfig.token) {
     output_manager_default.note(
       `Not currently logged in, so ${getCommandName("logout --future")} did nothing`
@@ -176101,13 +176183,11 @@ async function logout(client2) {
     output_manager_default.error("Failed during logout");
     logoutError = true;
   }
-  delete config2.currentTeam;
-  if (config2.desktop)
-    delete config2.desktop.teamOrder;
-  delete authConfig.token;
   try {
-    writeToConfigFile(config2);
-    writeToAuthConfigFile(authConfig);
+    client2.updateConfig({ currentTeam: void 0 });
+    client2.writeToConfigFile();
+    client2.emptyAuthConfig();
+    client2.writeToAuthConfigFile();
     output_manager_default.debug("Configuration has been deleted");
     if (!logoutError) {
       output_manager_default.success("Logged out!");
@@ -176124,7 +176204,6 @@ var init_future2 = __esm({
   "src/commands/logout/future.ts"() {
     "use strict";
     import_error_utils30 = __toESM3(require_dist2());
-    init_files();
     init_pkg_name();
     init_oauth2();
     init_output_manager();
@@ -176184,9 +176263,6 @@ async function logout2(client2) {
     }
   }
   delete config2.currentTeam;
-  if (config2.desktop) {
-    delete config2.desktop.teamOrder;
-  }
   delete authConfig.token;
   try {
     writeToConfigFile(config2);
@@ -179987,10 +180063,10 @@ var import_build_utils3 = require("@vercel/build-utils");
 
 // src/util/extension/proxy.ts
 var import_http2 = require("http");
-var import_node_fetch2 = __toESM3(require_lib7());
+var import_node_fetch3 = __toESM3(require_lib7());
 var import_node_utils = __toESM3(require_dist19());
 init_output_manager();
-var toHeaders = (0, import_node_utils.buildToHeaders)({ Headers: import_node_fetch2.Headers });
+var toHeaders = (0, import_node_utils.buildToHeaders)({ Headers: import_node_fetch3.Headers });
 function createProxy(client2) {
   return (0, import_http2.createServer)(async (req, res) => {
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vercel",
-  "version": "41.7.8",
+  "version": "42.1.0",
   "preferGlobal": true,
   "license": "Apache-2.0",
   "description": "The command-line interface for Vercel",
@@ -159,9 +159,9 @@
     "write-json-file": "2.2.0",
     "xdg-app-paths": "5.1.0",
     "yauzl-promise": "2.1.3",
-    "@vercel-internals/get-package-json": "1.0.0",
+    "@vercel-internals/constants": "1.0.4",
     "@vercel-internals/types": "3.0.6",
-    "@vercel-internals/constants": "1.0.4"
+    "@vercel-internals/get-package-json": "1.0.0"
   },
   "scripts": {
     "test": "jest --reporters=default --reporters=jest-junit --env node --verbose --bail",