mirror of
https://github.com/mountain-loop/yaak.git
synced 2026-03-26 19:31:25 +01:00
116 lines
3.5 KiB
TypeScript
116 lines
3.5 KiB
TypeScript
import { readFileSync } from "node:fs";
|
|
import type { Context, HttpRequest } from "@yaakapp/api";
|
|
import type { AccessToken, AccessTokenRawResponse, TokenStoreArgs } from "./store";
|
|
import { deleteToken, getToken, storeToken } from "./store";
|
|
import { isTokenExpired } from "./util";
|
|
|
|
export async function getOrRefreshAccessToken(
|
|
ctx: Context,
|
|
tokenArgs: TokenStoreArgs,
|
|
{
|
|
scope,
|
|
accessTokenUrl,
|
|
credentialsInBody,
|
|
clientId,
|
|
clientSecret,
|
|
forceRefresh,
|
|
}: {
|
|
scope: string | null;
|
|
accessTokenUrl: string;
|
|
credentialsInBody: boolean;
|
|
clientId: string;
|
|
clientSecret: string;
|
|
forceRefresh?: boolean;
|
|
},
|
|
): Promise<AccessToken | null> {
|
|
const token = await getToken(ctx, tokenArgs);
|
|
if (token == null) {
|
|
return null;
|
|
}
|
|
|
|
const isExpired = isTokenExpired(token);
|
|
|
|
// Return the current access token if it's still valid
|
|
if (!isExpired && !forceRefresh) {
|
|
return token;
|
|
}
|
|
|
|
// Token is expired, but there's no refresh token :(
|
|
if (!token.response.refresh_token) {
|
|
return null;
|
|
}
|
|
|
|
// Access token is expired, so get a new one
|
|
const httpRequest: Partial<HttpRequest> = {
|
|
method: "POST",
|
|
url: accessTokenUrl,
|
|
bodyType: "application/x-www-form-urlencoded",
|
|
body: {
|
|
form: [
|
|
{ name: "grant_type", value: "refresh_token" },
|
|
{ name: "refresh_token", value: token.response.refresh_token },
|
|
],
|
|
},
|
|
headers: [
|
|
{ name: "User-Agent", value: "yaak" },
|
|
{ name: "Accept", value: "application/x-www-form-urlencoded, application/json" },
|
|
{ name: "Content-Type", value: "application/x-www-form-urlencoded" },
|
|
],
|
|
};
|
|
|
|
if (scope) httpRequest.body?.form.push({ name: "scope", value: scope });
|
|
|
|
if (credentialsInBody) {
|
|
httpRequest.body?.form.push({ name: "client_id", value: clientId });
|
|
httpRequest.body?.form.push({ name: "client_secret", value: clientSecret });
|
|
} else {
|
|
const value = `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`;
|
|
httpRequest.headers?.push({ name: "Authorization", value });
|
|
}
|
|
|
|
httpRequest.authenticationType = "none"; // Don't inherit workspace auth
|
|
const resp = await ctx.httpRequest.send({ httpRequest });
|
|
|
|
if (resp.error) {
|
|
throw new Error(`Failed to refresh access token: ${resp.error}`);
|
|
}
|
|
|
|
if (resp.status >= 400 && resp.status < 500) {
|
|
// Client errors (4xx) indicate the refresh token is invalid, expired, or revoked
|
|
// Delete the token and return null to trigger a fresh authorization flow
|
|
console.log("[oauth2] Refresh token request failed with client error, deleting token");
|
|
await deleteToken(ctx, tokenArgs);
|
|
return null;
|
|
}
|
|
|
|
const body = resp.bodyPath ? readFileSync(resp.bodyPath, "utf8") : "";
|
|
|
|
console.log("[oauth2] Got refresh token response", resp.status);
|
|
|
|
if (resp.status < 200 || resp.status >= 300) {
|
|
throw new Error(`Failed to refresh access token with status=${resp.status} and body=${body}`);
|
|
}
|
|
|
|
// oxlint-disable-next-line no-explicit-any
|
|
let response: any;
|
|
try {
|
|
response = JSON.parse(body);
|
|
} catch {
|
|
response = Object.fromEntries(new URLSearchParams(body));
|
|
}
|
|
|
|
if (response.error) {
|
|
throw new Error(
|
|
`Failed to fetch access token with ${response.error} -> ${response.error_description}`,
|
|
);
|
|
}
|
|
|
|
const newResponse: AccessTokenRawResponse = {
|
|
...response,
|
|
// Assign a new one or keep the old one,
|
|
refresh_token: response.refresh_token ?? token.response.refresh_token,
|
|
};
|
|
|
|
return storeToken(ctx, tokenArgs, newResponse);
|
|
}
|