socket-lib/src/secrets/socket-api-token.ts at main · SocketDev/socket-lib · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/**
 * @file Convenience helper for reading the Socket API token from the canonical
 *   env → keychain precedence order. Centralizes two constants every fleet
 *   consumer would otherwise hard-code: the keychain service name
 *   (`socketsecurity`) and the env-var + account fallback list
 *   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
 *   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
 *   redoing the `resolve({ service, accounts })` boilerplate.
 */

import { resolve, resolveSync } from './find'

const SOCKET_SERVICE = 'socketsecurity'
const SOCKET_SERVICE_LEGACY = 'socket-cli'
// The canonical fallback list the resolver reads (SOCKET_API_TOKEN first, then
// the SOCKET_API_KEY legacy alias) — the one place the alias legitimately
// appears as a literal.
// oxlint-disable-next-line socket/socket-api-token-env -- canonical resolver names the legacy alias by design
const TOKEN_ACCOUNTS = ['SOCKET_API_TOKEN', 'SOCKET_API_KEY'] as const

export interface ReadSocketApiTokenOptions {
  /**
   * When `true`, skip the keychain fallback entirely. The resolver checks
   * `process.env.SOCKET_API_TOKEN` then `process.env.SOCKET_API_KEY` and
   * returns `undefined` immediately if neither is set. Use this in headless
   * contexts (CI, bootstrap hooks) where a Keychain auth prompt is
   * unacceptable.
   *
   * @default false
   */
  allowEnvOnly?: boolean | undefined
}

export async function readSocketApiToken(
  options?: ReadSocketApiTokenOptions | undefined,
): Promise<string | undefined> {
  const result =
    (await resolve({
      service: SOCKET_SERVICE,
      accounts: TOKEN_ACCOUNTS,
      allowEnvOnly: options?.allowEnvOnly,
    })) ??
    (await resolve({
      service: SOCKET_SERVICE_LEGACY,
      accounts: TOKEN_ACCOUNTS,
      allowEnvOnly: options?.allowEnvOnly,
    }))
  return result?.value
}

export function readSocketApiTokenSync(
  options?: ReadSocketApiTokenOptions | undefined,
): string | undefined {
  const result =
    resolveSync({
      service: SOCKET_SERVICE,
      accounts: TOKEN_ACCOUNTS,
      allowEnvOnly: options?.allowEnvOnly,
    }) ??
    resolveSync({
      service: SOCKET_SERVICE_LEGACY,
      accounts: TOKEN_ACCOUNTS,
      allowEnvOnly: options?.allowEnvOnly,
    })
  return result?.value
}