forcedotcom
diff --git a/‎messages/auth.md
Lines changed: 4 additions & 0 deletions b/‎messages/auth.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎package.json
Lines changed: 1 addition & 1 deletion b/‎package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/org/authInfo.ts
Lines changed: 86 additions & 17 deletions b/‎src/org/authInfo.ts
Lines changed: 86 additions & 17 deletions
diff --git a/‎src/org/connection.ts
Lines changed: 5 additions & 1 deletion b/‎src/org/connection.ts
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/webOAuthServer.ts
Lines changed: 92 additions & 12 deletions b/‎src/webOAuthServer.ts
Lines changed: 92 additions & 12 deletions
diff --git a/‎test/unit/org/authInfo.test.ts
Lines changed: 44 additions & 0 deletions b/‎test/unit/org/authInfo.test.ts
Lines changed: 44 additions & 0 deletions
diff --git a/‎test/unit/webOauthServer.test.ts
Lines changed: 20 additions & 0 deletions b/‎test/unit/webOauthServer.test.ts
Lines changed: 20 additions & 0 deletions
@@ -32,6 +32,10 @@ HTTP response contains html content. Check that the org exists and can be reache
 
 The device authorization request timed out. After executing force:auth:device:login, you must approve access to the device within 10 minutes. This can happen if the URL wasn’t copied into the browser, login was not attempted, or the 2FA process was not completed within 10 minutes. Request authorization again.
 
+# error.missingWebOauthServer.options
+
+You must specify both an `clientApp` and `username` if you intend the server to link a connected app to a user.
+
 # serverErrorHTMLResponse
 
 <html><head><style>body {background-color:#F4F6F9; font-family: Arial, sans-serif; font-size: 0.8125rem; line-height: 1.5rem; color: #16325c;} #center {margin: auto; width: 370px; padding: 100px 0px 20px;} #logo-container {margin-left: auto; margin-right: auto; text-align: center;} #logo {max-width: 180px; max-height: 113px; margin-bottom: 2rem; border: 0;} #header {font-size: 1.5rem; text-align: center; margin-bottom: 1rem;} #message {background-color: #FFFFFF; margin: 0px auto; padding: 1.25rem; border-radius: 0.25rem; border: 1px solid #D8DDE6;} #footer {height: 24px; width: 370px; text-align: center; font-size: .75rem; position: absolute; bottom: 10;}</style></head><body><div id="center"><div id="logo-container"><img id="logo" aria-hidden="true" name="logo" alt="Salesforce" src="data:image/svg+xml;base64,%s"></div><div id="header">%s</div><div id="message">%s<br/><br/>This is most likely <b>not</b> an error with the Salesforce CLI. Please ensure all information is accurate and try again.</div><div id="footer">&copy; %s Salesforce, Inc. All rights reserved.</div></div></body></html>
 
@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/core",
-  "version": "8.12.0",
+  "version": "8.12.1-dev.0",
   "description": "Core libraries to interact with SFDX projects, orgs, and APIs.",
   "main": "lib/index",
   "types": "lib/index.d.ts",
 
@@ -50,6 +50,15 @@ const messages = Messages.loadMessages('@salesforce/core', 'core');
  * Fields for authorization, org, and local information.
  */
 export type AuthFields = {
+  clientApps?: {
+    [key: string]: {
+      clientId: string;
+      clientSecret?: string;
+      accessToken: string;
+      refreshToken: string;
+      oauthFlow: 'web';
+    };
+  };
   accessToken?: string;
   alias?: string;
   authCode?: string;
@@ -607,41 +616,94 @@ export class AuthInfo extends AsyncOptionalCreatable<AuthInfo.Options> {
 
   /**
    * Get the auth fields (decrypted) needed to make a connection.
+   *
+   * @param clientApp Name of the CA/ECA associated with the user.
    */
-  public getConnectionOptions(): ConnectionOptions {
+  public getConnectionOptions(clientApp?: string): ConnectionOptions {
     const decryptedCopy = this.getFields(true);
     const { accessToken, instanceUrl, loginUrl } = decryptedCopy;
 
-    if (this.isAccessTokenFlow()) {
-      this.logger.info('Returning fields for a connection using access token.');
+    // return main app auth fields
+    if (!clientApp) {
+      if (this.isAccessTokenFlow()) {
+        this.logger.info('Returning fields for a connection using access token.');
 
-      // Just auth with the accessToken
-      return { accessToken, instanceUrl, loginUrl };
-    }
-    if (this.isJwt()) {
-      this.logger.info('Returning fields for a connection using JWT config.');
+        // Just auth with the accessToken
+        return { accessToken, instanceUrl, loginUrl };
+      }
+      if (this.isJwt()) {
+        this.logger.info('Returning fields for a connection using JWT config.');
+        return {
+          accessToken,
+          instanceUrl,
+          refreshFn: this.refreshFn.bind(this),
+        };
+      }
+      // @TODO: figure out loginUrl and redirectUri (probably get from config class)
+      //
+      // redirectUri: org.config.getOauthCallbackUrl()
+      // loginUrl: this.fields.instanceUrl || this.config.getAppConfig().sfdcLoginUrl
+      this.logger.info('Returning fields for a connection using OAuth config.');
+
+      // Decrypt a user provided client secret or use the default.
       return {
+        oauth2: {
+          loginUrl: instanceUrl ?? SfdcUrl.PRODUCTION,
+          clientId: this.getClientId(),
+          redirectUri: this.getRedirectUri(),
+        },
         accessToken,
         instanceUrl,
         refreshFn: this.refreshFn.bind(this),
       };
     }
-    // @TODO: figure out loginUrl and redirectUri (probably get from config class)
-    //
-    // redirectUri: org.config.getOauthCallbackUrl()
-    // loginUrl: this.fields.instanceUrl || this.config.getAppConfig().sfdcLoginUrl
-    this.logger.info('Returning fields for a connection using OAuth config.');
 
-    // Decrypt a user provided client secret or use the default.
+    if (!decryptedCopy.clientApps) {
+      throw new SfError(`${this.username} does not have any client app linked.`);
+    }
+
+    if (!(clientApp in decryptedCopy.clientApps)) {
+      throw new SfError(`${this.username} does not have a "${clientApp}" client app linked.`);
+    }
+
+    const decryptedApp = decryptedCopy.clientApps[clientApp];
+
     return {
       oauth2: {
         loginUrl: instanceUrl ?? SfdcUrl.PRODUCTION,
-        clientId: this.getClientId(),
+        clientId: decryptedApp.clientId,
         redirectUri: this.getRedirectUri(),
       },
-      accessToken,
+      accessToken: decryptedApp.accessToken,
       instanceUrl,
-      refreshFn: this.refreshFn.bind(this),
+      // Specific refreshFn for AuthInfo's clientApps.
+      //
+      // Each client app stores the oauth flow used for its initial auth, here we ensure each refresh returns
+      // a token, update the auth file with it and send it back to jsforce's through the callback.
+      refreshFn: async (_conn, callback): Promise<void> => {
+        // This only handles refresh for web flow.
+        // When more flows are supported for client apps, check the `app.oauthFlow` field to set the appropiate refresh helper.
+        const authFields = await this.buildRefreshTokenConfig({
+          clientId: decryptedApp.clientId,
+          clientSecret: decryptedApp.clientSecret,
+          refreshToken: decryptedApp.refreshToken,
+          loginUrl: instanceUrl,
+        });
+
+        await this.save({
+          clientApps: {
+            ...decryptedCopy.clientApps,
+            [clientApp]: {
+              accessToken: ensureString(authFields.accessToken),
+              clientId: decryptedApp.clientId,
+              clientSecret: decryptedApp.clientSecret,
+              refreshToken: decryptedApp.refreshToken,
+              oauthFlow: 'web',
+            },
+          },
+        });
+        await callback(null, authFields.accessToken);
+      },
     };
   }
 
@@ -1277,6 +1339,13 @@ export namespace AuthInfo {
      * OAuth options.
      */
     oauth2Options?: JwtOAuth2Config;
+    clientApps?: Array<{
+      name: string;
+      accessToken: string;
+      refreshToken: string;
+      clientId: string;
+      clientSecret?: string;
+    }>;
     /**
      * Options for the access token auth.
      */
 
@@ -118,7 +118,7 @@ export class Connection<S extends Schema = Schema> extends JSForceConnection<S>
       callOptions: {
         client: clientId,
       },
-      ...options.authInfo.getConnectionOptions(),
+      ...options.authInfo.getConnectionOptions(options.clientApp),
       // this assertion is questionable, but has existed before core7
     } as ConnectionConfig<S>;
 
@@ -495,6 +495,10 @@ export namespace Connection {
      */
     connectionOptions?: ConnectionConfig<S>;
+    /**
+     * Client app to use for auth info credentials.
+     */
+    clientApp?: string;
   };
 }
 
 
@@ -14,7 +14,7 @@ import { Socket } from 'node:net';
 import { EventEmitter } from 'node:events';
 import { OAuth2 } from '@jsforce/jsforce-node';
 import { AsyncCreatable, Env, set, toNumber } from '@salesforce/kit';
-import { asString, get, Nullable } from '@salesforce/ts-types';
+import { asString, ensureString, get, Nullable } from '@salesforce/ts-types';
 import { Logger } from './logger/logger';
 import { AuthInfo, DEFAULT_CONNECTED_APP_INFO } from './org/authInfo';
 import { SfError } from './sfError';
@@ -52,10 +52,24 @@ export class WebOAuthServer extends AsyncCreatable<WebOAuthServer.Options> {
   private oauth2!: OAuth2;
   private oauthConfig: JwtOAuth2Config;
   private oauthError = new Error('Oauth Error');
+  private clientApp?: string;
+  private username?: string;
 
   public constructor(options: WebOAuthServer.Options) {
     super(options);
     this.oauthConfig = options.oauthConfig;
+
+    // runtime check due to TS's loose type validation when using union types.
+    if (Object.hasOwn(options, 'username') && !Object.hasOwn(options, 'clientApp')) {
+      throw messages.createError('error.missingWebOauthServer.options');
+    }
+    if (Object.hasOwn(options, 'clientApp') && !Object.hasOwn(options, 'username')) {
+      throw messages.createError('error.missingWebOauthServer.options');
     }
+    if ('clientApp' in options) {
+      this.clientApp = options.clientApp;
+      this.username = options.username;
+    }
   }
 
   /**
@@ -95,14 +109,54 @@ export class WebOAuthServer extends AsyncCreatable<WebOAuthServer.Options> {
         this.executeOauthRequest()
           .then(async (response) => {
             try {
-              const authInfo = await AuthInfo.create({
-                oauth2Options: this.oauthConfig,
-                oauth2: this.oauth2,
-              });
-              await authInfo.save();
-              await this.webServer.handleSuccess(response);
-              response.end();
-              resolve(authInfo);
+              // Link client app to an existing auth file.
+              if (this.clientApp) {
+                const authInfo = await AuthInfo.create({
+                  oauth2Options: this.oauthConfig,
+                  oauth2: this.oauth2,
+                });
+                const authFields = authInfo.getFields(true);
+
+                // get user authInfo and save client app creds in `clientApps`
+                const userAuthInfo = await AuthInfo.create({
+                  username: this.username,
+                });
+
+                const decryptedCopy = userAuthInfo.getFields(true);
+
+                if (decryptedCopy.clientApps && this.clientApp in decryptedCopy.clientApps) {
+                  throw new SfError(
+                    `The username ${this.username} is already linked to a client app named "${this.clientApp}". Please authenticate again with a different client app name.`
+                  );
+                }
+
+                await userAuthInfo.save({
+                  clientApps: {
+                    ...userAuthInfo.getFields(true).clientApps,
+                    [this.clientApp]: {
+                      clientId: ensureString(authFields.clientId),
+                      clientSecret: authFields.clientSecret,
+                      accessToken: ensureString(authFields.accessToken),
+                      refreshToken: ensureString(authFields.refreshToken),
+                      oauthFlow: 'web',
+                    },
+                  },
+                });
+
+                await this.webServer.handleSuccess(response);
+                response.end();
+                resolve(authInfo);
+              } else {
+                // new auth, create new file.
+                const authInfo = await AuthInfo.create({
+                  oauth2Options: this.oauthConfig,
+                  oauth2: this.oauth2,
+                });
+                await authInfo.save();
+                await this.webServer.handleSuccess(response);
+                response.end();
+                resolve(authInfo);
+              }
             } catch (err) {
               this.oauthError = err as Error;
               await this.webServer.handleError(response);
@@ -276,9 +330,35 @@ export class WebOAuthServer extends AsyncCreatable<WebOAuthServer.Options> {
 }
 
 export namespace WebOAuthServer {
-  export type Options = {
-    oauthConfig: JwtOAuth2Config;
-  };
+  export type Options =
+    | {
+        oauthConfig: JwtOAuth2Config & {
+          /**
+           * OAuth scopes to be requested for the access token.
+           *
+           * This should be a string with each scope separated by spaces:
+           * "refresh_token sfap_api chatbot_api web api"
+           *
+           * If not specified, all scopes assigned to the connected app are requested.
+           */
+          scope?: string;
+        };
+      }
+    | {
+        oauthConfig: JwtOAuth2Config & {
+          /**
+           * OAuth scopes to be requested for the access token.
+           *
+           * This should be a string with each scope separated by spaces:
+           * "refresh_token sfap_api chatbot_api web api"
+           *
+           * If not specified, all scopes assigned to the connected app are requested.
+           */
+          scope?: string;
+        };
+        clientApp: string;
+        username: string;
+      };
 
   export type Request = http.IncomingMessage & {
     query: { code: string; state: string; error?: string; error_description?: string };
 
@@ -187,6 +187,50 @@ describe('AuthInfo', () => {
         // double check the stringified objects don't have secrets.
         expect(strObj).does.not.include(decryptedRefreshToken);
       });
+
+      it('should return app-specific connection options when app parameter is provided', () => {
+        const clientApp = 'agent-jwt-app';
+        const clientAppConfig = {
+          accessToken: 'app-access-token',
+          clientId: 'app-client-id',
+          clientSecret: 'app-client-secret',
+          refreshToken: 'app-refresh-token',
+          oauthFlow: 'web' as const,
+        };
+
+        // Set up the apps field in auth info
+        authInfo.update({
+          clientApps: {
+            [clientApp]: clientAppConfig,
+          },
+        });
+
+        const fields = authInfo.getConnectionOptions(clientApp);
+
+        // Verify app-specific connection options
+        expect(fields.oauth2).to.have.property('clientId', 'app-client-id');
+        expect(fields.oauth2).to.have.property('redirectUri');
+        expect(fields.accessToken).to.equal('app-access-token');
+        expect(fields).to.have.property('instanceUrl');
+        expect(fields).to.have.property('refreshFn').and.is.a('function');
+      });
+
+      it('should throw error when app does not exist', () => {
+        const clientApp = 'NonExistentApp';
+        authInfo.update({
+          clientApps: {
+            SomeOtherApp: {
+              accessToken: 'token',
+              clientId: 'client',
+              refreshToken: 'refresh',
+              oauthFlow: 'web' as const,
+            },
+          },
+        });
+        expect(() => authInfo.getConnectionOptions(clientApp)).to.throw(
+          `${authInfo.getUsername()} does not have a "${clientApp}" client app linked.`
+        );
+      });
     });
 
     describe('AuthInfo', () => {
 
@@ -414,6 +414,26 @@ describe('WebOauthServer', () => {
       expect(actual).to.equal(true);
     });
   });
+
+  describe('runtime checks', () => {
+    it('should fail if missing required params', async () => {
+      try {
+        await WebOAuthServer.create({ oauthConfig: {}, clientApp: 'agents' });
+        expect.fail();
+      } catch (err) {
+        const e = err as Error;
+        expect(e.name).to.equal('OptionsError');
+      }
+
+      try {
+        await WebOAuthServer.create({ oauthConfig: {}, username: 'johndoe@acme.com' });
+        expect.fail();
+      } catch (err) {
+        const e = err as Error;
+        expect(e.name).to.equal('OptionsError');
+      }
+    });
+  });
 });
 
 describe('WebServer', () => {
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@salesforce/core",`
`3`		`- "version": "8.12.0",`
	`3`	`+ "version": "8.12.1-dev.0",`
`4`	`4`	`"description": "Core libraries to interact with SFDX projects, orgs, and APIs.",`
`5`	`5`	`"main": "lib/index",`
`6`	`6`	`"types": "lib/index.d.ts",`