Merge pull request #1228 from forcedotcom/sh/support-codebuilder-ca

feat: support code builder web auth - W-16646649

Author: shetzel

messages/auth.md

@@ -24,6 +24,14 @@ Invalid request method: %s
 
 Invalid request uri: %s
 
+# warn.invalidClientId
+
+Code Builder web authentication is only supported with the Code Builder connected app. Ignoring client ID: %s
+
+# error.invalidCodeBuilderState
+
+Invalid authentication state.
+
 # error.HttpApi
 
 HTTP response contains html content. Check that the org exists and can be reached.

src/org/authInfo.ts

@@ -129,6 +129,7 @@ export type JwtOAuth2Config = OAuth2Config & {
   authCode?: string;
   refreshToken?: string;
   username?: string;
+  state?: string;
 };
 
 type UserInfo = AnyJson & {
@@ -191,6 +192,11 @@ export const DEFAULT_CONNECTED_APP_INFO = {
   clientSecret: '',
 };
 
+export const CODE_BUILDER_CONNECTED_APP_INFO = {
+  clientId: 'CodeBuilder',
+  clientSecret: '',
+};
+
 /**
  * Handles persistence and fetching of user authentication information using
  * JWT, OAuth, or refresh tokens. Sets up the refresh flows that jsForce will
@@ -350,7 +356,7 @@ export class AuthInfo extends AsyncOptionalCreatable<AuthInfo.Options> {
     // The state parameter allows the redirectUri callback listener to ignore request
     // that don't contain the state value.
     const params = {
-      state: randomBytes(Math.ceil(6)).toString('hex'),
+      state: options.state ?? randomBytes(Math.ceil(6)).toString('hex'),
       prompt: 'login',
       // Default connected app is 'refresh_token api web'
       scope: options.scope ?? env.getString('SFDX_AUTH_SCOPES', 'refresh_token api web'),

src/webOAuthServer.ts

@@ -16,7 +16,7 @@ import { OAuth2 } from '@jsforce/jsforce-node';
 import { AsyncCreatable, Env, set, toNumber } from '@salesforce/kit';
 import { asString, ensureString, get, Nullable } from '@salesforce/ts-types';
 import { Logger } from './logger/logger';
-import { AuthInfo, DEFAULT_CONNECTED_APP_INFO } from './org/authInfo';
+import { AuthInfo, DEFAULT_CONNECTED_APP_INFO, CODE_BUILDER_CONNECTED_APP_INFO } from './org/authInfo';
 import { SfError } from './sfError';
 import { Messages } from './messages';
 import { SfProjectJson } from './sfProject';
@@ -28,6 +28,8 @@ const messages = Messages.loadMessages('@salesforce/core', 'auth');
 // Server ignores requests for site icons
 const iconPaths = ['/favicon.ico', '/apple-touch-icon-precomposed.png'];
 
+const CODE_BUILDER_REDIRECT_URI = 'https://api.code-builder.platform.salesforce.com/api/auth/salesforce/callback';
+
 /**
  * Handles the creation of a web server for web based login flows.
  *
@@ -193,10 +195,28 @@ export class WebOAuthServer extends AsyncCreatable<WebOAuthServer.Options> {
   protected async init(): Promise<void> {
     this.logger = await Logger.child(this.constructor.name);
     const port = await WebOAuthServer.determineOauthPort();
+    this.oauthConfig.loginUrl ??= AuthInfo.getDefaultInstanceUrl();
+    const env = new Env();
+
+    if (env.getBoolean('CODE_BUILDER')) {
+      if (this.oauthConfig.clientId && this.oauthConfig.clientId !== CODE_BUILDER_CONNECTED_APP_INFO.clientId) {
+        this.logger.warn(messages.getMessage('warn.invalidClientId', [this.oauthConfig.clientId]));
+      }
+      this.oauthConfig.clientId = CODE_BUILDER_CONNECTED_APP_INFO.clientId;
+      const cbStateSha = env.getString('CODE_BUILDER_STATE');
+      if (!cbStateSha) {
+        throw messages.createError('error.invalidCodeBuilderState');
+      }
+      this.oauthConfig.state = JSON.stringify({
+        PORT: port,
+        CODE_BUILDER_STATE: cbStateSha,
+      });
+      this.oauthConfig.redirectUri = CODE_BUILDER_REDIRECT_URI;
+    } else {
+      this.oauthConfig.clientId ??= DEFAULT_CONNECTED_APP_INFO.clientId;
+      this.oauthConfig.redirectUri ??= `http://localhost:${port}/OauthRedirect`;
+    }
 
-    if (!this.oauthConfig.clientId) this.oauthConfig.clientId = DEFAULT_CONNECTED_APP_INFO.clientId;
-    if (!this.oauthConfig.loginUrl) this.oauthConfig.loginUrl = AuthInfo.getDefaultInstanceUrl();
-    if (!this.oauthConfig.redirectUri) this.oauthConfig.redirectUri = `http://localhost:${port}/OauthRedirect`;
     // Unless explicitly turned off, use a code verifier as a best practice
     if (this.oauthConfig.useVerifier !== false) this.oauthConfig.useVerifier = true;
 

test/unit/org/authInfo.test.ts

@@ -1302,6 +1302,24 @@ describe('AuthInfo', () => {
       expect(url).to.contain('prompt=login');
       expect(url).to.contain('scope=from-option');
     });
+
+    it('should return the correct url with state', () => {
+      const state = JSON.stringify({ PORT: 12_345, CODE_BUILDER_STATE: '1234567890' });
+      const options = {
+        clientId: 'CodeBuilder',
+        redirectUri: testOrg.redirectUri,
+        loginUrl: testOrg.loginUrl,
+        state,
+        scope: 'test',
+      };
+      const url = AuthInfo.getAuthorizationUrl(options);
+
+      expect(url.startsWith(options.loginUrl), 'authorization URL should start with the loginUrl').to.be.true;
+      expect(url).to.contain(`state=${encodeURIComponent(state)}`);
+      expect(url).to.contain('prompt=login');
+      expect(url).to.contain('scope=test');
+      expect(url).to.contain('client_id=CodeBuilder');
+    });
   });
 
   describe('getSfdxAuthUrl', () => {

test/unit/webOauthServer.test.ts

@@ -54,6 +54,22 @@ describe('WebOauthServer', () => {
       expect(authUrl).to.include('state=');
       expect(authUrl).to.include('response_type=code');
     });
+
+    it('should return authorization url for code builder', async () => {
+      const cbState = '1234567890';
+      stubMethod($$.SANDBOX, Env.prototype, 'getBoolean').withArgs('CODE_BUILDER').returns(true);
+      stubMethod($$.SANDBOX, Env.prototype, 'getString').withArgs('CODE_BUILDER_STATE').returns(cbState);
+      const oauthServer = await WebOAuthServer.create({ oauthConfig: {} });
+      const authUrl = oauthServer.getAuthorizationUrl();
+      expect(authUrl).to.not.be.undefined;
+      expect(authUrl).to.include('client_id=CodeBuilder');
+      expect(authUrl).to.include('code_challenge=');
+      expect(authUrl).to.include('state=');
+      expect(authUrl).to.include('response_type=code');
+      expect(authUrl).to.include('redirect_uri=');
+      expect(authUrl).to.include('api.code-builder.platform.salesforce.com');
+      expect(authUrl).to.include(cbState);
+    });
   });
 
   describe('authorizeAndSave', () => {