Return to a more standard credentials check.

Author: hynek-urban

src/services/ramp.ts

@@ -14,7 +14,7 @@
 
 import { randomUUID } from 'node:crypto';
 import type { Browser, BrowserContext, Response } from 'playwright';
-import { ApiCredentials, ApiCredentialStatus, OAuthCredentials } from '../apiCredentials/base.js';
+import { ApiCredentials, OAuthCredentials } from '../apiCredentials/base.js';
 import {
   exchangeCodeForTokens,
   generateCodeChallenge,
@@ -193,10 +193,18 @@ export class Ramp extends Service {
     'Ramp agent-tools API; the REST API is not supported. ' +
     'Docs: https://api.ramp.com/v1/public/agent-tools/spec/.';
 
-  // Unused: browser-login credentials are validated by holding/refreshing a live
-  // token (see checkApiCredentials), not by hitting a resource endpoint. Only present
-  // because the base class declares it abstract.
+  // Validate credentials against `search-help-center-snippets`: the one agent-tools
+  // endpoint that requires only a valid token and no specific scope (`security:
+  // [{oauth2: []}]` in the spec), so the check works regardless of which scopes the
+  // signed-in user's agent key was granted. It's a POST taking a required
+  // {query, rationale} body; a bad token returns a non-200 (404 DEVELOPER_7002).
   readonly credentialCheckCurlArguments = [
+    '-X',
+    'POST',
+    '-H',
+    'Content-Type: application/json',
+    '-d',
+    '{"query":"ping","rationale":"latchkey credential check"}',
     'https://api.ramp.com/developer/v1/agent-tools/search-help-center-snippets',
   ] as const;
 
@@ -243,28 +251,6 @@ export class Ramp extends Service {
       )
     );
   }
-
-  /**
-   * Validate credentials by confirming a live token is held (refreshing first if
-   * expired) rather than by hitting a resource endpoint -- Ramp has no scope-free
-   * endpoint, so a resource check would force the user to grant a particular scope.
-   */
-  override async checkApiCredentials(apiCredentials: ApiCredentials): Promise<ApiCredentialStatus> {
-    if (!(apiCredentials instanceof OAuthCredentials)) {
-      return ApiCredentialStatus.Missing;
-    }
-    let credentials: OAuthCredentials | null = apiCredentials;
-    if (credentials.isExpired() === true) {
-      const refreshed = await this.refreshCredentials(apiCredentials);
-      credentials = refreshed instanceof OAuthCredentials ? refreshed : null;
-    }
-    if (credentials?.accessToken === undefined) {
-      return ApiCredentialStatus.Invalid;
-    }
-    return credentials.isExpired() === true
-      ? ApiCredentialStatus.Invalid
-      : ApiCredentialStatus.Valid;
-  }
 }
 
 export const RAMP = new Ramp();

tests/ramp-session.test.ts

@@ -10,7 +10,6 @@
 import { describe, it, expect } from 'vitest';
 import { RAMP } from '../src/services/ramp.js';
 import { AuthorizationBearer, OAuthCredentials } from '../src/apiCredentials/base.js';
-import { ApiCredentialStatus } from '../src/apiCredentials/base.js';
 import { ServiceSession } from '../src/services/core/base.js';
 
 const FUTURE = new Date(Date.now() + 60 * 60 * 1000).toISOString();
@@ -48,21 +47,3 @@ describe('Ramp.refreshCredentials with OAuth (browser-login) credentials', () =>
     expect(await RAMP.refreshCredentials(new AuthorizationBearer('tok'))).toBeNull();
   });
 });
-
-describe('Ramp.checkApiCredentials with OAuth (browser-login) credentials', () => {
-  it('reports Valid when a live (unexpired) access token is held', async () => {
-    const creds = new OAuthCredentials('ramp_id_test', '', 'access-token', 'refresh-token', FUTURE);
-    expect(await RAMP.checkApiCredentials(creds)).toBe(ApiCredentialStatus.Valid);
-  });
-
-  it('reports Invalid when there is no access token and no way to obtain one', async () => {
-    const creds = new OAuthCredentials('ramp_id_test', '', undefined, undefined, undefined);
-    expect(await RAMP.checkApiCredentials(creds)).toBe(ApiCredentialStatus.Invalid);
-  });
-
-  it('reports Missing for unrelated credential types', async () => {
-    expect(await RAMP.checkApiCredentials(new AuthorizationBearer('tok'))).toBe(
-      ApiCredentialStatus.Missing
-    );
-  });
-});