generated client credentials oauth flow code

azrosen92 · azrosen92 · commit 571fbc07d5a6 · 2025-01-29T13:41:17.000-07:00
diff --git a/gusto_embedded/.genignore b/gusto_embedded/.genignore
@@ -0,0 +1 @@
+/src/hooks/clientcredentials.ts
diff --git a/gusto_embedded/src/hooks/clientcredentials.ts b/gusto_embedded/src/hooks/clientcredentials.ts
@@ -0,0 +1,210 @@
+// Code originally generated by Speakeasy (https://www.speakeasyapi.dev).
+
+import * as z from "zod";
+import { stringToBase64 } from "../lib/base64.js";
+import { env } from "../lib/env.js";
+import { HTTPClient } from "../lib/http.js";
+import { parse } from "../lib/schemas.js";
+import * as components from "../models/components/index.js";
+import {
+  AfterErrorContext,
+  AfterErrorHook,
+  BeforeRequestContext,
+  BeforeRequestHook,
+  SDKInitHook,
+  SDKInitOptions,
+} from "./types.js";
+
+type Credentials = {
+  clientID: string;
+  clientSecret: string;
+  tokenURL: string | undefined;
+};
+
+type Session = {
+  credentials: Credentials;
+  token: string;
+  expiresAt?: number;
+  scopes: string[];
+};
+
+export class ClientCredentialsHook
+  implements SDKInitHook, BeforeRequestHook, AfterErrorHook
+{
+  private baseURL?: URL | null;
+  private client?: HTTPClient;
+  private sessions: Record<string, Session> = {};
+
+  sdkInit(opts: SDKInitOptions): SDKInitOptions {
+    this.baseURL = opts.baseURL;
+    this.client = opts.client;
+
+    return opts;
+  }
+
+  async beforeRequest(
+    hookCtx: BeforeRequestContext,
+    request: Request
+  ): Promise<Request> {
+    if (!hookCtx.oAuth2Scopes) {
+      // OAuth2 not in use
+      return request;
+    }
+
+    const credentials = await this.getCredentials(hookCtx.securitySource);
+    if (!credentials) {
+      return request;
+    }
+
+    const sessionKey = this.getSessionKey(credentials);
+
+    let session = this.sessions[sessionKey];
+    if (
+      !session ||
+      !this.hasRequiredScopes(session.scopes, hookCtx.oAuth2Scopes) ||
+      this.hasTokenExpired(session.expiresAt)
+    ) {
+      session = await this.doTokenRequest(
+        credentials,
+        this.getScopes(hookCtx.oAuth2Scopes, session)
+      );
+
+      this.sessions[sessionKey] = session;
+    }
+
+    request.headers.set("Authorization", `Bearer ${session.token}`);
+
+    return request;
+  }
+
+  async afterError(
+    hookCtx: AfterErrorContext,
+    response: Response | null,
+    error: unknown
+  ): Promise<{ response: Response | null; error: unknown }> {
+    if (!hookCtx.oAuth2Scopes) {
+      // OAuth2 not in use
+      return { response, error };
+    }
+
+    if (error) {
+      return { response, error };
+    }
+
+    const credentials = await this.getCredentials(hookCtx.securitySource);
+    if (!credentials) {
+      return { response, error };
+    }
+
+    if (response && response?.status === 401) {
+      const sessionKey = this.getSessionKey(credentials);
+      delete this.sessions[sessionKey];
+    }
+
+    return { response, error };
+  }
+
+  private async doTokenRequest(
+    credentials: Credentials,
+    scopes: string[]
+  ): Promise<Session> {
+    const formData = new URLSearchParams();
+    formData.append("grant_type", "system_access");
+    formData.append("client_id", credentials.clientID);
+    formData.append("client_secret", credentials.clientSecret);
+
+    if (scopes.length > 0) {
+      formData.append("scope", scopes.join(" "));
+    }
+
+    const tokenURL = new URL(credentials.tokenURL ?? "", this.baseURL ?? "");
+
+    const request = new Request(tokenURL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: formData,
+    });
+
+    const res = await this.client?.request(request);
+    if (!res) {
+      throw new Error("Failed to fetch token");
+    }
+
+    if (res.status < 200 || res.status >= 300) {
+      throw new Error("Unexpected status code");
+    }
+
+    const data = await res.json();
+    if (!data || typeof data !== "object") {
+      throw new Error("Unexpected response format");
+    }
+
+    if (data.token_type !== "Bearer") {
+      throw new Error("Unexpected token type");
+    }
+
+    let expiresAt: number | undefined;
+    if (data.expires_in) {
+      expiresAt = Date.now() + data.expires_in * 1000;
+    }
+
+    const sess: Session = {
+      credentials,
+      token: data.access_token,
+      scopes,
+    };
+
+    if (expiresAt !== undefined) {
+      sess.expiresAt = expiresAt;
+    }
+
+    return sess;
+  }
+
+  private async getCredentials(
+    source?: unknown | (() => Promise<unknown>)
+  ): Promise<Credentials | null> {
+    if (!source) {
+      return null;
+    }
+
+    let security = source;
+    if (typeof source === "function") {
+      security = await source();
+    }
+    const out = parse(
+      security,
+      (val) => z.lazy(() => components.Security$outboundSchema).parse(val),
+      "unexpected security type"
+    );
+
+    return {
+      clientID: out?.clientID ?? env().GUSTOEMBEDDED_CLIENT_ID ?? "",
+      clientSecret:
+        out?.clientSecret ?? env().GUSTOEMBEDDED_CLIENT_SECRET ?? "",
+      tokenURL: out?.tokenURL ?? env().GUSTOEMBEDDED_TOKEN_URL ?? "",
+    };
+  }
+
+  private getSessionKey(credentials: Credentials): string {
+    const key = `${credentials.clientID}:${credentials.clientSecret}`;
+    return stringToBase64(key);
+  }
+
+  private hasRequiredScopes(
+    scopes: string[],
+    requiredScopes: string[]
+  ): boolean {
+    return requiredScopes.every((scope) => scopes.includes(scope));
+  }
+
+  private getScopes(requiredScopes: string[], sess?: Session): string[] {
+    return [...new Set((sess?.scopes ?? []).concat(requiredScopes))];
+  }
+
+  private hasTokenExpired(expiresAt?: number): boolean {
+    return !expiresAt || Date.now() + 60000 > expiresAt;
+  }
+}
diff --git a/gusto_embedded/src/systemAuth.ts b/gusto_embedded/src/systemAuth.ts
@@ -0,0 +1,109 @@
+import * as z from "zod";
+import { SDK_METADATA } from "./lib/config";
+
+// TypeScript SDKs use Zod for runtime data validation. We can use Zod
+// to describe the shape of the response from the OAuth token endpoint. If the
+// response is valid, Speakeasy can safely access the token and its expiration time.
+const tokenResponseSchema = z.object({
+  access_token: z.string(),
+  expires_in: z.number().positive(),
+});
+
+// This is a rough value that adjusts when we consider an access token to be
+// expired. It accounts for clock drift between the client and server
+// and slow or unreliable networks.
+const tolerance = 5 * 60 * 1000;
+
+/**
+ * A callback function that can be used to obtain an OAuth access token for use
+ * with SDKs that require OAuth security. A new token is requested from the
+ * OAuth provider when the current token has expired.
+ */
+export function withSystemAccess(
+  clientID: string,
+  clientSecret: string,
+  options: { tokenStore?: TokenStore; url?: string } = {}
+) {
+  const {
+    tokenStore = new InMemoryTokenStore(),
+    // Replace this with your default OAuth provider's access token endpoint.
+    url = "https://api.gusto-demo.com/oauth/token",
+  } = options;
+
+  // tokenStore.set({ token: accessToken, expires: 10 });
+
+  return async (): Promise<string> => {
+    const session = await tokenStore.get();
+
+    // Return the current token if it has not expired yet.
+    if (session && session.expires > Date.now()) {
+      return session.token;
+    }
+
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          // Include the SDK's user agent in the request so requests can be
+          // tracked using observability infrastructure.
+          "user-agent": SDK_METADATA.userAgent,
+        },
+        body: new URLSearchParams({
+          client_id: clientID,
+          client_secret: clientSecret,
+          grant_type: "system_access",
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error("Unexpected status code: " + response.status);
+      }
+
+      const json = await response.json();
+      const data = tokenResponseSchema.parse(json);
+
+      await tokenStore.set({
+        token: data.access_token,
+        expires: Date.now() + data.expires_in * 1000 - tolerance,
+      });
+
+      return data.access_token;
+    } catch (error) {
+      throw new Error("Failed to obtain OAuth token: " + error);
+    }
+  };
+}
+
+/**
+ * A TokenStore is used to save and retrieve OAuth tokens for use across SDK
+ * method calls. This interface can be implemented to store tokens in memory,
+ * a shared cache like Redis or a database table.
+ */
+export interface TokenStore {
+  get(): Promise<{ token: string; expires: number } | undefined>;
+  set({ token, expires }: { token: string; expires: number }): Promise<void>;
+}
+
+/**
+ * InMemoryTokenStore holds OAuth access tokens in memory for use by SDKs and
+ * methods that require OAuth security.
+ */
+export class InMemoryTokenStore implements TokenStore {
+  private token = "";
+  private expires = Date.now();
+
+  constructor() {}
+
+  async get() {
+    return {
+      token: this.token,
+      expires: this.expires,
+    };
+  }
+
+  async set({ token, expires }: { token: string; expires: number }) {
+    this.token = token;
+    this.expires = expires;
+  }
+}
