@W-20893800: Adding support for stateful auth [sfcc-ci compatibility]

Author: amit-kumar8-sf

packages/b2c-cli/src/commands/auth/client/index.ts

@@ -4,8 +4,9 @@
  * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
  */
 import {Flags} from '@oclif/core';
-import {OAuthCommand} from '@salesforce/b2c-tooling-sdk/cli';
+import {BaseCommand, loadConfig} from '@salesforce/b2c-tooling-sdk/cli';
 import {setStoredSession, decodeJWT} from '@salesforce/b2c-tooling-sdk/auth';
+import {DEFAULT_ACCOUNT_MANAGER_HOST} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../../i18n/index.js';
 
 /**
@@ -19,7 +20,7 @@ import {t} from '../../../i18n/index.js';
  *
  * Use --renew to enable automatic token renewal for later use with `auth client renew`.
  */
-export default class AuthClient extends OAuthCommand<typeof AuthClient> {
+export default class AuthClient extends BaseCommand<typeof AuthClient> {
   static description = t('commands.auth.client.description', 'Authenticate an API client and save session');
 
   static examples = [
@@ -30,6 +31,29 @@ export default class AuthClient extends OAuthCommand<typeof AuthClient> {
   ];
 
   static flags = {
+    'client-id': Flags.string({
+      description: 'Client ID for OAuth',
+      env: 'SFCC_CLIENT_ID',
+      helpGroup: 'AUTH',
+    }),
+    'client-secret': Flags.string({
+      description: 'Client secret for OAuth',
+      env: 'SFCC_CLIENT_SECRET',
+      helpGroup: 'AUTH',
+    }),
+    'account-manager-host': Flags.string({
+      description: `Account Manager hostname for OAuth (default: ${DEFAULT_ACCOUNT_MANAGER_HOST})`,
+      env: 'SFCC_ACCOUNT_MANAGER_HOST',
+      helpGroup: 'AUTH',
+    }),
+    'auth-scope': Flags.string({
+      description: 'OAuth scopes to request (comma-separated)',
+      env: 'SFCC_OAUTH_SCOPES',
+      multiple: true,
+      multipleNonGreedy: true,
+      delimiter: ',',
+      helpGroup: 'AUTH',
+    }),
     renew: Flags.boolean({
       char: 'r',
       description: 'Enable automatic token renewal (stores credentials for later refresh)',
@@ -50,6 +74,20 @@ export default class AuthClient extends OAuthCommand<typeof AuthClient> {
     }),
   };
 
+  protected override loadConfiguration() {
+    const scopes = this.flags['auth-scope'] as string[] | undefined;
+    return loadConfig(
+      {
+        clientId: this.flags['client-id'] as string | undefined,
+        clientSecret: this.flags['client-secret'] as string | undefined,
+        accountManagerHost: this.flags['account-manager-host'] as string | undefined,
+        scopes: scopes && scopes.length > 0 ? scopes : undefined,
+      },
+      this.getBaseConfigOptions(),
+      this.getPluginSources(),
+    );
+  }
+
   async run(): Promise<void> {
     const clientId = this.resolvedConfig.values.clientId;
     const clientSecret = this.resolvedConfig.values.clientSecret;
@@ -65,19 +103,9 @@ export default class AuthClient extends OAuthCommand<typeof AuthClient> {
 
     const user = this.flags.user;
     const userPassword = this.flags['user-password'];
-    const grantTypeFlag = this.flags['grant-type'];
+    const grantType = this.resolveGrantType(this.flags['grant-type'], user);
     const autoRenew = this.flags.renew;
 
-    // Determine grant type: explicit flag > auto-detect from user/password > client_credentials
-    let grantType: string;
-    if (grantTypeFlag) {
-      grantType = grantTypeFlag;
-    } else if (user) {
-      grantType = 'password';
-    } else {
-      grantType = 'client_credentials';
-    }
-
     if (grantType === 'password' && (!user || !userPassword)) {
       this.error(
         t(
@@ -87,7 +115,7 @@ export default class AuthClient extends OAuthCommand<typeof AuthClient> {
       );
     }
 
-    const accountManagerHost = this.accountManagerHost;
+    const accountManagerHost = this.resolvedConfig.values.accountManagerHost ?? DEFAULT_ACCOUNT_MANAGER_HOST;
     const scopes = this.resolvedConfig.values.scopes;
 
     const grantPayload: Record<string, string> = {grant_type: grantType};
@@ -128,14 +156,11 @@ export default class AuthClient extends OAuthCommand<typeof AuthClient> {
     if (!response.ok) {
       const errorText = await response.text();
       this.logger.trace({method, url, body: errorText}, `[StatefulAuth RESP BODY] ${method} ${url}`);
-      let errorMsg: string;
-      try {
-        const parsed = JSON.parse(errorText) as {error_description?: string};
-        errorMsg = parsed.error_description ?? errorText;
-      } catch {
-        errorMsg = errorText;
-      }
-      this.error(t('commands.auth.client.failed', 'Authentication failed: {{error}}', {error: errorMsg}));
+      this.error(
+        t('commands.auth.client.failed', 'Authentication failed: {{error}}', {
+          error: this.parseErrorMessage(errorText),
+        }),
+      );
     }
 
     const data = (await response.json()) as {
@@ -148,28 +173,40 @@ export default class AuthClient extends OAuthCommand<typeof AuthClient> {
 
     this.logger.trace({method, url, body: data}, `[StatefulAuth RESP BODY] ${method} ${url}`);
 
-    // Extract user from id_token JWT if issued (matches sfcc-ci behavior)
-    let sessionUser: null | string = null;
-    if (data.id_token) {
-      try {
-        const decoded = decodeJWT(data.id_token);
-        if (typeof decoded.payload.sub === 'string') {
-          sessionUser = decoded.payload.sub;
-        }
-      } catch {
-        // Ignore JWT decode errors for id_token
-      }
-    }
-
     setStoredSession({
       clientId,
       accessToken: data.access_token,
       refreshToken: data.refresh_token ?? null,
       renewBase: autoRenew ? credentials : null,
-      user: sessionUser,
+      user: this.extractUser(data.id_token),
     });
 
     const renewMsg = autoRenew ? ' Auto-renewal enabled.' : '';
     this.log(t('commands.auth.client.success', 'Authentication succeeded.{{renewMsg}}', {renewMsg}));
   }
+
+  private extractUser(idToken: string | undefined): null | string {
+    if (!idToken) return null;
+    try {
+      const decoded = decodeJWT(idToken);
+      return typeof decoded.payload.sub === 'string' ? decoded.payload.sub : null;
+    } catch {
+      return null;
+    }
+  }
+
+  private parseErrorMessage(errorText: string): string {
+    try {
+      const parsed = JSON.parse(errorText) as {error_description?: string};
+      return parsed.error_description ?? errorText;
+    } catch {
+      return errorText;
+    }
+  }
+
+  private resolveGrantType(grantTypeFlag: string | undefined, user: string | undefined): string {
+    if (grantTypeFlag) return grantTypeFlag;
+    if (user) return 'password';
+    return 'client_credentials';
+  }
 }

packages/b2c-cli/src/commands/auth/client/renew.ts

@@ -3,8 +3,10 @@
  * SPDX-License-Identifier: Apache-2
  * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
  */
-import {OAuthCommand} from '@salesforce/b2c-tooling-sdk/cli';
+import {Flags} from '@oclif/core';
+import {BaseCommand, loadConfig} from '@salesforce/b2c-tooling-sdk/cli';
 import {getStoredSession, setStoredSession} from '@salesforce/b2c-tooling-sdk/auth';
+import {DEFAULT_ACCOUNT_MANAGER_HOST} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../../i18n/index.js';
 
 /**
@@ -16,11 +18,27 @@ import {t} from '../../../i18n/index.js';
  * Uses refresh_token grant when a refresh token is stored, otherwise falls back
  * to client_credentials grant using the stored base64-encoded client:secret.
  */
-export default class AuthClientRenew extends OAuthCommand<typeof AuthClientRenew> {
+export default class AuthClientRenew extends BaseCommand<typeof AuthClientRenew> {
   static description = t('commands.auth.client.renew.description', 'Renew the client authentication token');
 
   static examples = ['<%= config.bin %> <%= command.id %>'];
 
+  static flags = {
+    'account-manager-host': Flags.string({
+      description: `Account Manager hostname for OAuth (default: ${DEFAULT_ACCOUNT_MANAGER_HOST})`,
+      env: 'SFCC_ACCOUNT_MANAGER_HOST',
+      helpGroup: 'AUTH',
+    }),
+  };
+
+  protected override loadConfiguration() {
+    return loadConfig(
+      {accountManagerHost: this.flags['account-manager-host'] as string | undefined},
+      this.getBaseConfigOptions(),
+      this.getPluginSources(),
+    );
+  }
+
   async run(): Promise<void> {
     const session = getStoredSession();
 
@@ -33,7 +51,7 @@ export default class AuthClientRenew extends OAuthCommand<typeof AuthClientRenew
       );
     }
 
-    const accountManagerHost = this.accountManagerHost;
+    const accountManagerHost = this.resolvedConfig.values.accountManagerHost ?? DEFAULT_ACCOUNT_MANAGER_HOST;
     const url = `https://${accountManagerHost}/dwsso/oauth2/access_token`;
 
     // Use refresh_token grant if available, otherwise client_credentials

packages/b2c-cli/src/commands/auth/login.ts

@@ -3,16 +3,18 @@
  * SPDX-License-Identifier: Apache-2
  * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
  */
-import {OAuthCommand} from '@salesforce/b2c-tooling-sdk/cli';
+import {Flags} from '@oclif/core';
+import {BaseCommand, loadConfig} from '@salesforce/b2c-tooling-sdk/cli';
 import {ImplicitOAuthStrategy, setStoredSession, decodeJWT} from '@salesforce/b2c-tooling-sdk/auth';
+import {DEFAULT_ACCOUNT_MANAGER_HOST} from '@salesforce/b2c-tooling-sdk';
 import {t, withDocs} from '../../i18n/index.js';
 
 /**
  * Log in via browser (implicit OAuth) and persist the session for stateful auth.
  * Uses the same storage as sfcc-ci; when valid, subsequent commands use this token
  * until it expires or you run auth:logout.
  */
-export default class AuthLogin extends OAuthCommand<typeof AuthLogin> {
+export default class AuthLogin extends BaseCommand<typeof AuthLogin> {
   static description = withDocs(
     t('commands.auth.login.description', 'Log in via browser and save session (stateful auth)'),
     '/cli/auth.html#b2c-auth-login',
@@ -23,15 +25,49 @@ export default class AuthLogin extends OAuthCommand<typeof AuthLogin> {
     '<%= config.bin %> <%= command.id %> --client-id your-client-id',
   ];
 
+  static flags = {
+    'client-id': Flags.string({
+      description: 'Client ID for OAuth',
+      env: 'SFCC_CLIENT_ID',
+      helpGroup: 'AUTH',
+    }),
+    'account-manager-host': Flags.string({
+      description: `Account Manager hostname for OAuth (default: ${DEFAULT_ACCOUNT_MANAGER_HOST})`,
+      env: 'SFCC_ACCOUNT_MANAGER_HOST',
+      helpGroup: 'AUTH',
+    }),
+    'auth-scope': Flags.string({
+      description: 'OAuth scopes to request (comma-separated)',
+      env: 'SFCC_OAUTH_SCOPES',
+      multiple: true,
+      multipleNonGreedy: true,
+      delimiter: ',',
+      helpGroup: 'AUTH',
+    }),
+  };
+
+  protected override loadConfiguration() {
+    const scopes = this.flags['auth-scope'] as string[] | undefined;
+    return loadConfig(
+      {
+        clientId: this.flags['client-id'] as string | undefined,
+        accountManagerHost: this.flags['account-manager-host'] as string | undefined,
+        scopes: scopes && scopes.length > 0 ? scopes : undefined,
+      },
+      this.getBaseConfigOptions(),
+      this.getPluginSources(),
+    );
+  }
+
   async run(): Promise<void> {
-    const clientId = this.resolvedConfig.values.clientId ?? this.getDefaultClientId();
+    const clientId = this.resolvedConfig.values.clientId;
     if (!clientId) {
       this.error(
         t('error.oauthClientIdRequired', 'OAuth client ID required. Provide --client-id or set SFCC_CLIENT_ID.'),
       );
     }
 
-    const accountManagerHost = this.accountManagerHost;
+    const accountManagerHost = this.resolvedConfig.values.accountManagerHost ?? DEFAULT_ACCOUNT_MANAGER_HOST;
     const scopes = this.resolvedConfig.values.scopes;
 
     const strategy = new ImplicitOAuthStrategy({

packages/b2c-cli/src/commands/auth/logout.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2
  * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
  */
-import {OAuthCommand} from '@salesforce/b2c-tooling-sdk/cli';
+import {BaseCommand} from '@salesforce/b2c-tooling-sdk/cli';
 import {clearStoredSession} from '@salesforce/b2c-tooling-sdk/auth';
 import {t, withDocs} from '../../i18n/index.js';
 
@@ -12,7 +12,7 @@ import {t, withDocs} from '../../i18n/index.js';
  * Uses the same storage as sfcc-ci; after logout, commands use stateless auth
  * (client credentials or implicit) when configured.
  */
-export default class AuthLogout extends OAuthCommand<typeof AuthLogout> {
+export default class AuthLogout extends BaseCommand<typeof AuthLogout> {
   static description = withDocs(
     t('commands.auth.logout.description', 'Clear stored session (stateful auth)'),
     '/cli/auth.html#b2c-auth-logout',