Fix PKCE flow and clean up other flows

packages/plugin-runtime-types/src/bindings/gen_search.ts

@@ -2,4 +2,4 @@
 
 export type PluginMetadata = { version: string, name: string, displayName: string, description: string | null, homepageUrl: string | null, repositoryUrl: string | null, };
 
-export type PluginVersion = { id: string, version: string, description: string | null, name: string, displayName: string, homepageUrl: string | null, repositoryUrl: string | null, checksum: string, readme: string | null, yanked: boolean, };
+export type PluginVersion = { id: string, version: string, url: string, description: string | null, name: string, displayName: string, homepageUrl: string | null, repositoryUrl: string | null, checksum: string, readme: string | null, yanked: boolean, };

packages/plugin-runtime/src/index.ts

@@ -53,3 +53,7 @@ async function handleIncoming(msg: string) {
 
   plugin.sendToWorker(pluginEvent);
 }
+
+process.on('unhandledRejection', (reason, promise) => {
+  console.error('Unhandled Rejection at:', promise, 'reason:', reason);
+});

plugins/auth-oauth2/src/fetchAccessToken.ts

@@ -1,8 +1,8 @@
-import { Context, HttpRequest, HttpUrlParameter } from '@yaakapp/api';
+import type { Context, HttpRequest, HttpUrlParameter } from '@yaakapp/api';
 import { readFileSync } from 'node:fs';
-import { AccessTokenRawResponse } from './store';
+import type { AccessTokenRawResponse } from './store';
 
-export async function getAccessToken(
+export async function fetchAccessToken(
   ctx: Context,
   {
     accessTokenUrl,

plugins/auth-oauth2/src/getAccessTokenIfNotExpired.ts

@@ -0,0 +1,19 @@
+import type { Context } from '@yaakapp/api';
+import type { AccessToken } from './store';
+import { getToken } from './store';
+
+export async function getAccessTokenIfNotExpired(
+  ctx: Context,
+  contextId: string,
+): Promise<AccessToken | null> {
+  const token = await getToken(ctx, contextId);
+  if (token == null || isTokenExpired(token)) {
+    return null;
+  }
+
+  return token;
+}
+
+export function isTokenExpired(token: AccessToken) {
+  return token.expiresAt && Date.now() > token.expiresAt;
+}

plugins/auth-oauth2/src/getOrRefreshAccessToken.ts

@@ -1,29 +1,34 @@
-import { Context, HttpRequest } from '@yaakapp/api';
+import type { Context, HttpRequest } from '@yaakapp/api';
 import { readFileSync } from 'node:fs';
-import { AccessToken, AccessTokenRawResponse, deleteToken, getToken, storeToken } from './store';
+import { isTokenExpired } from './getAccessTokenIfNotExpired';
+import type { AccessToken, AccessTokenRawResponse } from './store';
+import { deleteToken, getToken, storeToken } from './store';
 
-export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
+export async function getOrRefreshAccessToken(
-  scope,
+  ctx: Context,
-  accessTokenUrl,
+  contextId: string,
-  credentialsInBody,
+  {
-  clientId,
+    scope,
-  clientSecret,
+    accessTokenUrl,
-  forceRefresh,
+    credentialsInBody,
-}: {
+    clientId,
-  scope: string | null;
+    clientSecret,
-  accessTokenUrl: string;
+    forceRefresh,
-  credentialsInBody: boolean;
+  }: {
-  clientId: string;
+    scope: string | null;
-  clientSecret: string;
+    accessTokenUrl: string;
-  forceRefresh?: boolean;
+    credentialsInBody: boolean;
-}): Promise<AccessToken | null> {
+    clientId: string;
+    clientSecret: string;
+    forceRefresh?: boolean;
+  },
+): Promise<AccessToken | null> {
   const token = await getToken(ctx, contextId);
   if (token == null) {
     return null;
   }
 
-  const now = Date.now();
+  const isExpired = isTokenExpired(token);
-  const isExpired = token.expiresAt && now > token.expiresAt;
 
   // Return the current access token if it's still valid
   if (!isExpired && !forceRefresh) {
@@ -79,7 +84,9 @@ export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
   console.log('[oauth2] Got refresh token response', resp.status);
 
   if (resp.status < 200 || resp.status >= 300) {
-    throw new Error('Failed to refresh access token with status=' + resp.status + ' and body=' + body);
+    throw new Error(
+      'Failed to refresh access token with status=' + resp.status + ' and body=' + body,
+    );
   }
 
   let response;
@@ -90,7 +97,9 @@ export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
   }
 
   if (response.error) {
-    throw new Error(`Failed to fetch access token with ${response.error} -> ${response.error_description}`);
+    throw new Error(
+      `Failed to fetch access token with ${response.error} -> ${response.error_description}`,
+    );
   }
 
   const newResponse: AccessTokenRawResponse = {

plugins/auth-oauth2/src/grants/authorizationCode.ts

@@ -1,8 +1,9 @@
-import { Context } from '@yaakapp/api';
+import type { Context } from '@yaakapp/api';
 import { createHash, randomBytes } from 'node:crypto';
-import { getAccessToken } from '../getAccessToken';
+import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import { AccessToken, getDataDirKey, storeToken } from '../store';
+import type { AccessToken } from '../store';
+import { getDataDirKey, storeToken } from '../store';
 
 export const PKCE_SHA256 = 'S256';
 export const PKCE_PLAIN = 'plain';
@@ -34,8 +35,8 @@ export async function getAuthorizationCode(
     audience: string | null;
     credentialsInBody: boolean;
     pkce: {
-      challengeMethod: string | null;
+      challengeMethod: string;
-      codeVerifier: string | null;
+      codeVerifier: string;
     } | null;
     tokenName: 'access_token' | 'id_token';
   },
@@ -59,26 +60,25 @@ export async function getAuthorizationCode(
   if (state) authorizationUrl.searchParams.set('state', state);
   if (audience) authorizationUrl.searchParams.set('audience', audience);
   if (pkce) {
-    const verifier = pkce.codeVerifier || createPkceCodeVerifier();
-    const challengeMethod = pkce.challengeMethod || DEFAULT_PKCE_METHOD;
     authorizationUrl.searchParams.set(
       'code_challenge',
-      createPkceCodeChallenge(verifier, challengeMethod),
+      pkceCodeChallenge(pkce.codeVerifier, pkce.challengeMethod),
     );
-    authorizationUrl.searchParams.set('code_challenge_method', challengeMethod);
+    authorizationUrl.searchParams.set('code_challenge_method', pkce.challengeMethod);
   }
 
-  return new Promise(async (resolve, reject) => {
+  const logsEnabled = (await ctx.store.get('enable_logs')) ?? false;
-    const authorizationUrlStr = authorizationUrl.toString();
+  const dataDirKey = await getDataDirKey(ctx, contextId);
-    const logsEnabled = (await ctx.store.get('enable_logs')) ?? false;
+  const authorizationUrlStr = authorizationUrl.toString();
-    console.log('[oauth2] Authorizing', authorizationUrlStr);
+  console.log('[oauth2] Authorizing', authorizationUrlStr);
 
+  // eslint-disable-next-line no-async-promise-executor
+  const code = await new Promise<string>(async (resolve, reject) => {
     let foundCode = false;
-
+    const { close } = await ctx.window.openUrl({
-    let { close } = await ctx.window.openUrl({
       url: authorizationUrlStr,
       label: 'oauth-authorization-url',
-      dataDirKey: await getDataDirKey(ctx, contextId),
+      dataDirKey,
       async onClose() {
         if (!foundCode) {
           reject(new Error('Authorization window closed'));
@@ -89,6 +89,7 @@ export async function getAuthorizationCode(
         if (logsEnabled) console.log('[oauth2] Navigated to', urlStr);
 
         if (url.searchParams.has('error')) {
+          close();
           return reject(new Error(`Failed to authorize: ${url.searchParams.get('error')}`));
         }
 
@@ -101,37 +102,35 @@ export async function getAuthorizationCode(
         // Close the window here, because we don't need it anymore!
         foundCode = true;
         close();
-
+        resolve(code);
-        console.log('[oauth2] Code found');
-        const response = await getAccessToken(ctx, {
-          grantType: 'authorization_code',
-          accessTokenUrl,
-          clientId,
-          clientSecret,
-          scope,
-          audience,
-          credentialsInBody,
-          params: [
-            { name: 'code', value: code },
-            ...(redirectUri ? [{ name: 'redirect_uri', value: redirectUri }] : []),
-          ],
-        });
-
-        try {
-          resolve(await storeToken(ctx, contextId, response, tokenName));
-        } catch (err) {
-          reject(err);
-        }
       },
     });
   });
+
+  console.log('[oauth2] Code found');
+  const response = await fetchAccessToken(ctx, {
+    grantType: 'authorization_code',
+    accessTokenUrl,
+    clientId,
+    clientSecret,
+    scope,
+    audience,
+    credentialsInBody,
+    params: [
+      { name: 'code', value: code },
+      ...(pkce ? [{ name: 'code_verifier', value: pkce.codeVerifier }] : []),
+      ...(redirectUri ? [{ name: 'redirect_uri', value: redirectUri }] : []),
+    ],
+  });
+
+  return storeToken(ctx, contextId, response, tokenName);
 }
 
-function createPkceCodeVerifier() {
+export function genPkceCodeVerifier() {
   return encodeForPkce(randomBytes(32));
 }
 
-function createPkceCodeChallenge(verifier: string, method: string) {
+function pkceCodeChallenge(verifier: string, method: string) {
   if (method === 'plain') {
     return verifier;
   }

plugins/auth-oauth2/src/grants/clientCredentials.ts

@@ -1,5 +1,6 @@
-import { Context } from '@yaakapp/api';
+import type { Context } from '@yaakapp/api';
-import { getAccessToken } from '../getAccessToken';
+import { fetchAccessToken } from '../fetchAccessToken';
+import { isTokenExpired } from '../getAccessTokenIfNotExpired';
 import { getToken, storeToken } from '../store';
 
 export async function getClientCredentials(
@@ -22,13 +23,11 @@ export async function getClientCredentials(
   },
 ) {
   const token = await getToken(ctx, contextId);
-  if (token) {
+  if (token && !isTokenExpired(token)) {
-    // resolve(token.response.access_token);
+    return token;
-    // TODO: Refresh token if expired
-    // return;
   }
 
-  const response = await getAccessToken(ctx, {
+  const response = await fetchAccessToken(ctx, {
     grantType: 'client_credentials',
     accessTokenUrl,
     audience,

plugins/auth-oauth2/src/grants/implicit.ts

@@ -1,7 +1,9 @@
-import { Context } from '@yaakapp/api';
+import type { Context } from '@yaakapp/api';
-import { AccessToken, AccessTokenRawResponse, getToken, storeToken } from '../store';
+import { isTokenExpired } from '../getAccessTokenIfNotExpired';
+import type { AccessToken, AccessTokenRawResponse} from '../store';
+import { getToken, storeToken } from '../store';
 
-export function getImplicit(
+export async function getImplicit(
   ctx: Context,
   contextId: string,
   {
@@ -24,31 +26,30 @@ export function getImplicit(
     tokenName: 'access_token' | 'id_token';
   },
 ): Promise<AccessToken> {
-  return new Promise(async (resolve, reject) => {
+  const token = await getToken(ctx, contextId);
-    const token = await getToken(ctx, contextId);
+  if (token != null && !isTokenExpired(token)) {
-    if (token) {
+    return token;
-      // resolve(token.response.access_token);
+  }
-      // TODO: Refresh token if expired
-      // return;
-    }
 
-    const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
-    authorizationUrl.searchParams.set('response_type', 'token');
+  authorizationUrl.searchParams.set('response_type', 'token');
-    authorizationUrl.searchParams.set('client_id', clientId);
+  authorizationUrl.searchParams.set('client_id', clientId);
-    if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
+  if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
-    if (scope) authorizationUrl.searchParams.set('scope', scope);
+  if (scope) authorizationUrl.searchParams.set('scope', scope);
-    if (state) authorizationUrl.searchParams.set('state', state);
+  if (state) authorizationUrl.searchParams.set('state', state);
-    if (audience) authorizationUrl.searchParams.set('audience', audience);
+  if (audience) authorizationUrl.searchParams.set('audience', audience);
-    if (responseType.includes('id_token')) {
+  if (responseType.includes('id_token')) {
-      authorizationUrl.searchParams.set(
+    authorizationUrl.searchParams.set(
-        'nonce',
+      'nonce',
-        String(Math.floor(Math.random() * 9999999999999) + 1),
+      String(Math.floor(Math.random() * 9999999999999) + 1),
-      );
+    );
-    }
+  }
 
-    const authorizationUrlStr = authorizationUrl.toString();
+  // eslint-disable-next-line no-async-promise-executor
+  const newToken = await new Promise<AccessToken>(async (resolve, reject) => {
     let foundAccessToken = false;
-    let { close } = await ctx.window.openUrl({
+    const authorizationUrlStr = authorizationUrl.toString();
+    const { close } = await ctx.window.openUrl({
       url: authorizationUrlStr,
       label: 'oauth-authorization-url',
       async onClose() {
@@ -76,11 +77,13 @@ export function getImplicit(
 
         const response = Object.fromEntries(params) as unknown as AccessTokenRawResponse;
         try {
-          resolve(await storeToken(ctx, contextId, response));
+          resolve(storeToken(ctx, contextId, response));
         } catch (err) {
           reject(err);
         }
       },
     });
   });
+
+  return newToken;
 }

plugins/auth-oauth2/src/grants/password.ts

@@ -1,7 +1,8 @@
-import { Context } from '@yaakapp/api';
+import type { Context } from '@yaakapp/api';
-import { getAccessToken } from '../getAccessToken';
+import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import { AccessToken, storeToken } from '../store';
+import type { AccessToken} from '../store';
+import { storeToken } from '../store';
 
 export async function getPassword(
   ctx: Context,
@@ -37,7 +38,7 @@ export async function getPassword(
     return token;
   }
 
-  const response = await getAccessToken(ctx, {
+  const response = await fetchAccessToken(ctx, {
     accessTokenUrl,
     clientId,
     clientSecret,

plugins/auth-oauth2/src/index.ts

@@ -1,4 +1,4 @@
-import {
+import type {
   Context,
   FormInputSelectOption,
   GetHttpAuthenticationConfigRequest,
@@ -6,6 +6,7 @@ import {
   PluginDefinition,
 } from '@yaakapp/api';
 import {
+  genPkceCodeVerifier,
   DEFAULT_PKCE_METHOD,
   getAuthorizationCode,
   PKCE_PLAIN,
@@ -14,7 +15,8 @@ import {
 import { getClientCredentials } from './grants/clientCredentials';
 import { getImplicit } from './grants/implicit';
 import { getPassword } from './grants/password';
-import { AccessToken, deleteToken, getToken, resetDataDirKey } from './store';
+import type { AccessToken } from './store';
+import { deleteToken, getToken, resetDataDirKey } from './store';
 
 type GrantType = 'authorization_code' | 'implicit' | 'password' | 'client_credentials';
 
@@ -219,9 +221,9 @@ export const plugin: PluginDefinition = {
       },
       {
         type: 'text',
-        name: 'pkceCodeVerifier',
+        name: 'pkceCodeChallenge',
         label: 'Code Verifier',
-        placeholder: 'Automatically generated if not provided',
+        placeholder: 'Automatically generated when not set',
         optional: true,
         dynamic: hiddenIfNot(['authorization_code'], ({ usePkce }) => !!usePkce),
       },
@@ -325,8 +327,8 @@ export const plugin: PluginDefinition = {
           credentialsInBody,
           pkce: values.usePkce
             ? {
-                challengeMethod: stringArg(values, 'pkceChallengeMethod'),
+                challengeMethod: stringArg(values, 'pkceChallengeMethod') || DEFAULT_PKCE_METHOD,
-                codeVerifier: stringArgOrNull(values, 'pkceCodeVerifier'),
+                codeVerifier: stringArg(values, 'pkceCodeVerifier') || genPkceCodeVerifier(),
               }
             : null,
           tokenName: tokenName,