fix: removed unefficient AI generated call pattern using one-use object types created for 2-3 variable passing.

refactor: streamline session state management using configuration functions
Refactored configuration loading function.
2026-03-07 16:33:13 +01:00 · 2026-03-07 15:36:48 +01:00 · 2026-03-07 15:18:46 +01:00
18 changed files with 223 additions and 321 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
    "name": "@slawek/sk-az-tools",
-    "version": "0.4.3",
+    "version": "0.4.5",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
@@ -16,7 +16,9 @@
                "@slawek/sk-tools": ">=0.1.0",
                "azure-devops-node-api": "^15.1.2",
                "minimatch": "^10.1.2",
-                "open": "^10.1.0"
+                "open": "^10.1.0",
+                "semver": "^7.7.2",
+                "uuid": "^11.1.0"
            },
            "bin": {
                "sk-az-tools": "dist/cli.js"
@@ -154,6 +156,15 @@
                "node": ">=16"
            }
        },
+        "node_modules/@azure/identity/node_modules/uuid": {
+            "version": "8.3.2",
+            "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+            "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+            "license": "MIT",
+            "bin": {
+                "uuid": "dist/bin/uuid"
+            }
+        },
        "node_modules/@azure/logger": {
            "version": "1.3.0",
            "resolved": "https://registry.npmjs.org/@azure/logger/-/logger-1.3.0.tgz",
@@ -233,6 +244,15 @@
                "node": ">=0.8.0"
            }
        },
+        "node_modules/@azure/msal-node/node_modules/uuid": {
+            "version": "8.3.2",
+            "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+            "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+            "license": "MIT",
+            "bin": {
+                "uuid": "dist/bin/uuid"
+            }
+        },
        "node_modules/@babel/runtime": {
            "version": "7.28.6",
            "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
@@ -1576,12 +1596,16 @@
            "license": "MIT"
        },
        "node_modules/uuid": {
-            "version": "8.3.2",
-            "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-            "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+            "version": "11.1.0",
+            "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
+            "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
+            "funding": [
+                "https://github.com/sponsors/broofa",
+                "https://github.com/sponsors/ctavan"
+            ],
            "license": "MIT",
            "bin": {
-                "uuid": "dist/bin/uuid"
+                "uuid": "dist/esm/bin/uuid"
            }
        },
        "node_modules/wrappy": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@slawek/sk-az-tools",
-    "version": "0.4.3",
+    "version": "0.4.5",
    "type": "module",
    "files": [
        "dist",
@@ -27,7 +27,8 @@
        "azure-devops-node-api": "^15.1.2",
        "minimatch": "^10.1.2",
        "open": "^10.1.0",
-        "semver": "^7.7.2"
+        "semver": "^7.7.2",
+        "uuid": "^11.1.0"
    },
    "devDependencies": {
        "@types/node": ">=24.0.0",
--- a/src/azure/client-auth.ts
+++ b/src/azure/client-auth.ts
@@ -1,18 +1,16 @@
 // SPDX-License-Identifier: MIT

 import { DefaultAzureCredential, ClientSecretCredential, DeviceCodeCredential } from "@azure/identity";
+import type { AuthenticationResult } from "@azure/msal-node";
+import { acquireResourceToken as acquireResourceTokenPca } from "./pca-auth.ts";

 type CredentialType = "d" | "default" | "cs" | "clientSecret" | "dc" | "deviceCode";

-type CredentialOptions = {
-  tenantId?: string;
-  clientId?: string;
-  clientSecret?: string;
-};
-
 export async function getCredential(
  credentialType: CredentialType,
-  options: CredentialOptions,
+  tenantId?: string,
+  clientId?: string,
+  clientSecret?: string,
 ): Promise<DefaultAzureCredential | ClientSecretCredential | DeviceCodeCredential> {
  switch (credentialType) {
    case "d":
@@ -20,26 +18,26 @@ export async function getCredential(
      return new DefaultAzureCredential();
    case "cs":
    case "clientSecret":
-      if (!options.tenantId || !options.clientId || !options.clientSecret) {
+      if (!tenantId || !clientId || !clientSecret) {
        throw new Error(
          "tenantId, clientId, and clientSecret are required for ClientSecretCredential",
        );
      }
      return new ClientSecretCredential(
-        options.tenantId,
-        options.clientId,
-        options.clientSecret,
+        tenantId,
+        clientId,
+        clientSecret,
      );
    case "dc":
    case "deviceCode":
-      if (!options.tenantId || !options.clientId) {
+      if (!tenantId || !clientId) {
        throw new Error(
          "tenantId and clientId are required for DeviceCodeCredential",
        );
      }
      return new DeviceCodeCredential({
-        tenantId: options.tenantId,
-        clientId: options.clientId,
+        tenantId,
+        clientId,
        userPromptCallback: (info) => {
          console.log(info.message);
        },
@@ -48,3 +46,11 @@ export async function getCredential(
      throw new Error(`Unsupported credential type: ${credentialType}`);
  }
 }
+
+export async function acquireResourceToken(
+  tenantId: string,
+  clientId: string,
+  resource: string,
+): Promise<AuthenticationResult | null> {
+  return acquireResourceTokenPca(tenantId, clientId, resource);
+}
--- a/src/azure/index.ts
+++ b/src/azure/index.ts
@@ -7,11 +7,19 @@
 */

 export { getCredential } from "./client-auth.ts";
+import { acquireResourceToken as acquireResourceTokenPca } from "./pca-auth.ts";
 export {
  loginInteractive,
  loginDeviceCode,
  login,
  logout,
  parseResources,
-  acquireResourceTokenFromLogin,
 } from "./pca-auth.ts";
+
+export async function acquireResourceToken(
+  tenantId: string,
+  clientId: string,
+  resource: string,
+) {
+  return acquireResourceTokenPca(tenantId, clientId, resource);
+}
--- a/src/azure/pca-auth.ts
+++ b/src/azure/pca-auth.ts
@@ -2,17 +2,17 @@

 import open, { apps } from "open";
 import fs from "node:fs";
-import { readFile, writeFile, mkdir, unlink } from "node:fs/promises";
+import { writeFile, mkdir, unlink } from "node:fs/promises";
 import path from "node:path";

 import { PublicClientApplication } from "@azure/msal-node";
+import { getConfig, getConfigDir } from "@slawek/sk-tools";
 import type {
  AccountInfo,
  AuthenticationResult,
  ICachePlugin,
  TokenCacheContext,
 } from "@azure/msal-node";
-import os from "node:os";

 const RESOURCE_SCOPE_BY_NAME = {
  graph: "https://graph.microsoft.com/.default",
@@ -27,96 +27,32 @@ const LOGIN_REQUIRED_MESSAGE = "Login required. Run: sk-az-tools login";
 const BROWSER_KEYWORDS = Object.keys(apps).sort();
 const OPEN_APPS = apps as Record<string, string | readonly string[]>;
 const CHROMIUM_BROWSERS = new Set(["edge", "chrome", "brave"]);
+const CONFIG_FILE_NAME = "config";

 type SessionState = {
  activeAccountUpn: string | null;
 };

-type BrowserOptions = {
-  browser?: string;
-  browserProfile?: string;
-};
-
-type LoginInteractiveOptions = {
-  tenantId?: string;
-  clientId?: string;
-  scopes: string[];
-  showAuthUrlOnly?: boolean;
-  browser?: string;
-  browserProfile?: string;
-};
-
-type LoginDeviceCodeOptions = {
-  tenantId?: string;
-  clientId?: string;
-  scopes: string[];
-};
-
-type LoginOptions = {
-  tenantId?: string;
-  clientId?: string;
-  resourcesCsv?: string;
-  useDeviceCode?: boolean;
-  noBrowser?: boolean;
-  browser?: string;
-  browserProfile?: string;
-};
-
-type AcquireResourceTokenOptions = {
-  tenantId?: string;
-  clientId?: string;
-  resource?: string;
-};
-
-type LogoutOptions = {
-  tenantId?: string;
-  clientId?: string;
-  clearAll?: boolean;
-  userPrincipalName?: string;
-};
-
-function getCacheRoot(): string {
-  const isWindows = process.platform === "win32";
-  const userRoot = isWindows
-    ? process.env.LOCALAPPDATA || os.homedir()
-    : os.homedir();
-
-  return isWindows
-    ? path.join(userRoot, "sk-az-tools")
-    : path.join(userRoot, ".config", "sk-az-tools");
-}
-
-function getSessionFilePath(): string {
-  return path.join(getCacheRoot(), "login-session.json");
-}
-
 async function readSessionState(): Promise<SessionState> {
-  try {
-    const sessionJson = await readFile(getSessionFilePath(), "utf8");
-    const parsed = JSON.parse(sessionJson) as { activeAccountUpn?: unknown };
-    return {
-      activeAccountUpn:
-        typeof parsed?.activeAccountUpn === "string"
-          ? parsed.activeAccountUpn
-          : null,
-    };
-  } catch (err) {
-    if ((err as { code?: string } | null)?.code === "ENOENT") {
-      return { activeAccountUpn: null };
-    }
-    throw err;
-  }
+  const parsed = (await getConfig("sk-az-tools", CONFIG_FILE_NAME)) as { activeAccountUpn?: unknown };
+  return {
+    activeAccountUpn:
+      typeof parsed?.activeAccountUpn === "string"
+        ? parsed.activeAccountUpn
+        : null,
+  };
 }

 async function writeSessionState(state: SessionState): Promise<void> {
-  const sessionPath = getSessionFilePath();
+  const sessionPath = path.join(getConfigDir("sk-az-tools"), `${CONFIG_FILE_NAME}.json`);
  await mkdir(path.dirname(sessionPath), { recursive: true });
  await writeFile(sessionPath, JSON.stringify(state, null, 2), "utf8");
 }

 async function clearSessionState(): Promise<void> {
  try {
-    await unlink(getSessionFilePath());
+    const sessionPath = path.join(getConfigDir("sk-az-tools"), `${CONFIG_FILE_NAME}.json`);
+    await unlink(sessionPath);
  } catch (err) {
    if ((err as { code?: string } | null)?.code !== "ENOENT") {
      throw err;
@@ -124,10 +60,6 @@ async function clearSessionState(): Promise<void> {
  }
 }

-function normalizeUpn(upn: unknown): string {
-  return typeof upn === "string" ? upn.trim().toLowerCase() : "";
-}
-
 function writeStderr(message: string): void {
  process.stderr.write(`${message}\n`);
 }
@@ -165,7 +97,7 @@ function getBrowserKeyword(browser?: string): string {
  return keyword.toLowerCase();
 }

-function getBrowserOpenOptions({ browser, browserProfile }: BrowserOptions): Parameters<typeof open>[1] {
+function getBrowserOpenOptions(browser?: string, browserProfile?: string): Parameters<typeof open>[1] {
  const browserName = getBrowserAppName(browser);

  if (!browserProfile || browserProfile.trim() === "") {
@@ -194,7 +126,7 @@ function getBrowserOpenOptions({ browser, browserProfile }: BrowserOptions): Par
  };
 }

-function validateBrowserOptions({ browser, browserProfile }: BrowserOptions): void {
+function validateBrowserOptions(browser?: string, browserProfile?: string): void {
  if (browser && browser.trim() !== "") {
    getBrowserAppName(browser);
  }
@@ -246,8 +178,8 @@ function fileCachePlugin(cachePath: string): ICachePlugin {
  };
 }

-async function createPca({ tenantId, clientId }: { tenantId: string; clientId: string }): Promise<PublicClientApplication> {
-  const cacheRoot = getCacheRoot();
+async function createPca(tenantId: string, clientId: string): Promise<PublicClientApplication> {
+  const cacheRoot = getConfigDir("sk-az-tools");
  const cachePath = path.join(cacheRoot, `${clientId}-msal.cache`);
  let cachePlugin: ICachePlugin;
  try {
@@ -281,15 +213,11 @@ async function createPca({ tenantId, clientId }: { tenantId: string; clientId: s
  });
 }

-async function acquireTokenWithCache({
-  pca,
-  scopes,
-  account,
-}: {
-  pca: PublicClientApplication;
-  scopes: string[];
-  account?: AccountInfo | null;
-}): Promise<AuthenticationResult | null> {
+async function acquireTokenWithCache(
+  pca: PublicClientApplication,
+  scopes: string[],
+  account?: AccountInfo | null,
+): Promise<AuthenticationResult | null> {
  if (account) {
    try {
      return await pca.acquireTokenSilent({
@@ -316,43 +244,40 @@ async function acquireTokenWithCache({
  return null;
 }

-async function findAccountByUpn({
-  pca,
-  upn,
-}: {
-  pca: PublicClientApplication;
-  upn: string | null;
-}): Promise<AccountInfo | null> {
-  const normalized = normalizeUpn(upn);
+async function findAccountByUpn(
+  pca: PublicClientApplication,
+  upn: string,
+): Promise<AccountInfo | null> {
+  const normalized = upn.trim().toLowerCase();
  if (!normalized) {
    return null;
  }

  const accounts = await pca.getTokenCache().getAllAccounts();
  return (
-    accounts.find((account) => normalizeUpn(account?.username) === normalized) ??
+    accounts.find((account) => account.username.trim().toLowerCase() === normalized) ??
    null
  );
 }

-export async function loginInteractive({
-  tenantId,
-  clientId,
-  scopes,
+export async function loginInteractive(
+  tenantId: string | undefined,
+  clientId: string | undefined,
+  scopes: string[],
  showAuthUrlOnly = false,
-  browser,
-  browserProfile,
-}: LoginInteractiveOptions): Promise<AuthenticationResult | null> {
+  browser?: string,
+  browserProfile?: string,
+): Promise<AuthenticationResult | null> {
  if (!tenantId) throw new Error("tenantId is required");
  if (!clientId) throw new Error("clientId is required");
  if (!Array.isArray(scopes) || scopes.length === 0) {
    throw new Error("scopes[] is required");
  }
-  validateBrowserOptions({ browser, browserProfile });
+  validateBrowserOptions(browser, browserProfile);

-  const pca = await createPca({ tenantId, clientId });
+  const pca = await createPca(tenantId, clientId);

-  const cached = await acquireTokenWithCache({ pca, scopes });
+  const cached = await acquireTokenWithCache(pca, scopes);
  if (cached) return cached;

  return pca.acquireTokenInteractive({
@@ -362,7 +287,7 @@ export async function loginInteractive({
        writeStderr(`Visit:\n${url}`);
        return;
      }
-      const options = getBrowserOpenOptions({ browser, browserProfile });
+      const options = getBrowserOpenOptions(browser, browserProfile);
      await open(url, options).catch(() => {
        writeStderr(`Visit:\n${url}`);
      });
@@ -370,16 +295,20 @@ export async function loginInteractive({
  });
 }

-export async function loginDeviceCode({ tenantId, clientId, scopes }: LoginDeviceCodeOptions): Promise<AuthenticationResult | null> {
+export async function loginDeviceCode(
+  tenantId: string | undefined,
+  clientId: string | undefined,
+  scopes: string[],
+): Promise<AuthenticationResult | null> {
  if (!tenantId) throw new Error("tenantId is required");
  if (!clientId) throw new Error("clientId is required");
  if (!Array.isArray(scopes) || scopes.length === 0) {
    throw new Error("scopes[] is required");
  }

-  const pca = await createPca({ tenantId, clientId });
+  const pca = await createPca(tenantId, clientId);

-  const cached = await acquireTokenWithCache({ pca, scopes });
+  const cached = await acquireTokenWithCache(pca, scopes);
  if (cached) return cached;

  return pca.acquireTokenByDeviceCode({
@@ -390,15 +319,15 @@ export async function loginDeviceCode({ tenantId, clientId, scopes }: LoginDevic
  });
 }

-export async function login({
-  tenantId,
-  clientId,
-  resourcesCsv,
+export async function login(
+  tenantId: string | undefined,
+  clientId: string | undefined,
+  resourcesCsv?: string,
  useDeviceCode = false,
  noBrowser = false,
-  browser,
-  browserProfile,
-}: LoginOptions): Promise<{
+  browser?: string,
+  browserProfile?: string,
+): Promise<{
  accountUpn: string | null;
  resources: Array<{ resource: string; expiresOn: string | null }>;
  flow: "device-code" | "interactive";
@@ -406,27 +335,22 @@ export async function login({
 }> {
  if (!tenantId) throw new Error("tenantId is required");
  if (!clientId) throw new Error("clientId is required");
-  validateBrowserOptions({ browser, browserProfile });
+  validateBrowserOptions(browser, browserProfile);

  const resources = parseResources(resourcesCsv);
  const scopes = resources.map((resourceName) => RESOURCE_SCOPE_BY_NAME[resourceName]);
-  const pca = await createPca({ tenantId, clientId });
+  const pca = await createPca(tenantId, clientId);
  const session = await readSessionState();
-  const preferredAccount = await findAccountByUpn({
-    pca,
-    upn: session.activeAccountUpn,
-  });
+  const preferredAccount = session.activeAccountUpn
+    ? await findAccountByUpn(pca, session.activeAccountUpn)
+    : null;

  const results: Array<{ resource: string; expiresOn: string | null }> = [];
  let selectedAccount: AccountInfo | null = preferredAccount;
  for (let index = 0; index < resources.length; index += 1) {
    const resource = resources[index];
    const scope = [scopes[index]];
-    let token = await acquireTokenWithCache({
-      pca,
-      scopes: scope,
-      account: selectedAccount,
-    });
+    let token = await acquireTokenWithCache(pca, scope, selectedAccount);

    if (!token) {
      if (useDeviceCode) {
@@ -444,7 +368,7 @@ export async function login({
              writeStderr(`Visit:\n${url}`);
              return;
            }
-            const options = getBrowserOpenOptions({ browser, browserProfile });
+            const options = getBrowserOpenOptions(browser, browserProfile);
            await open(url, options).catch(() => {
              writeStderr(`Visit:\n${url}`);
            });
@@ -476,11 +400,11 @@ export async function login({
  };
 }

-export async function acquireResourceTokenFromLogin({
-  tenantId,
-  clientId,
-  resource,
-}: AcquireResourceTokenOptions): Promise<AuthenticationResult | null> {
+export async function acquireResourceToken(
+  tenantId: string,
+  clientId: string,
+  resource: string,
+): Promise<AuthenticationResult | null> {
  if (!tenantId) throw new Error("tenantId is required");
  if (!clientId) throw new Error("clientId is required");
  if (!resource) throw new Error("resource is required");
@@ -496,11 +420,8 @@ export async function acquireResourceTokenFromLogin({
    throw new Error(LOGIN_REQUIRED_MESSAGE);
  }

-  const pca = await createPca({ tenantId, clientId });
-  const account = await findAccountByUpn({
-    pca,
-    upn: session.activeAccountUpn,
-  });
+  const pca = await createPca(tenantId, clientId);
+  const account = await findAccountByUpn(pca, session.activeAccountUpn);
  if (!account) {
    throw new Error(LOGIN_REQUIRED_MESSAGE);
  }
@@ -515,16 +436,16 @@ export async function acquireResourceTokenFromLogin({
  }
 }

-export async function logout({
-  tenantId,
-  clientId,
+export async function logout(
+  tenantId: string,
+  clientId: string,
  clearAll = false,
-  userPrincipalName,
-}: LogoutOptions): Promise<{ clearedAll: boolean; signedOut: string[] }> {
+  userPrincipalName?: string,
+): Promise<{ clearedAll: boolean; signedOut: string[] }> {
  if (!tenantId) throw new Error("tenantId is required");
  if (!clientId) throw new Error("clientId is required");

-  const pca = await createPca({ tenantId, clientId });
+  const pca = await createPca(tenantId, clientId);
  const tokenCache = pca.getTokenCache();
  const accounts = await tokenCache.getAllAccounts();
  const session = await readSessionState();
@@ -540,9 +461,10 @@ export async function logout({
    };
  }

-  const targetUpn = normalizeUpn(userPrincipalName) || normalizeUpn(session.activeAccountUpn);
+  const targetUpn = (typeof userPrincipalName === "string" ? userPrincipalName.trim().toLowerCase() : "")
+    || (typeof session.activeAccountUpn === "string" ? session.activeAccountUpn.trim().toLowerCase() : "");
  const accountToSignOut = accounts.find(
-    (account) => normalizeUpn(account.username) === targetUpn,
+    (account) => account.username.trim().toLowerCase() === targetUpn,
  );

  if (!accountToSignOut) {
--- a/src/cli/commands/auth.ts
+++ b/src/cli/commands/auth.ts
@@ -0,0 +1 @@
+// SPDX-License-Identifier: MIT
--- a/src/cli/commands/get-token.ts
+++ b/src/cli/commands/get-token.ts
@@ -1,8 +1,8 @@
 // SPDX-License-Identifier: MIT

-import { acquireResourceTokenFromLogin } from "../../azure/index.ts";
+import { acquireResourceToken } from "../../azure/index.ts";
 import { getDevOpsApiToken } from "../../devops/index.ts";
-import { loadPublicConfig } from "../../index.ts";
+import { loadConfig } from "../../index.ts";

 import type { CommandValues } from "./types.ts";

@@ -19,20 +19,14 @@ export async function runGetTokenCommand(values: CommandValues): Promise<unknown
    throw new Error("--type is required for get-token (allowed: azurerm, devops)");
  }

-  const config = await loadPublicConfig();
-  if (!config.tenantId) {
-    throw new Error("tenantId is required");
-  }
-  if (!config.clientId) {
-    throw new Error("clientId is required");
-  }
+  const config = await loadConfig("public-config");

  if (tokenType === "azurerm") {
-    const result = await acquireResourceTokenFromLogin({
-      tenantId: config.tenantId,
-      clientId: config.clientId,
-      resource: "arm",
-    });
+    const result = await acquireResourceToken(
+      config.tenantId,
+      config.clientId,
+      "arm",
+    );

    const accessToken = result?.accessToken;
    if (!accessToken) {
--- a/src/cli/commands/list-apps.ts
+++ b/src/cli/commands/list-apps.ts
@@ -16,10 +16,7 @@ Options:

 export async function runListAppsCommand(values: CommandValues): Promise<unknown> {
  const { client } = await getGraphClientFromPublicConfig();
-  let result = await listApps(client, {
-    displayName: values["display-name"],
-    appId: values["app-id"],
-  });
+  let result = await listApps(client, values["display-name"], values["app-id"]);
  if (values["app-id"] && result.length > 1) {
    throw new Error(`Expected a single app for --app-id ${values["app-id"]}, but got ${result.length}`);
  }
--- a/src/cli/commands/list-resource-permissions.ts
+++ b/src/cli/commands/list-resource-permissions.ts
@@ -23,10 +23,11 @@ export async function runListResourcePermissionsCommand(values: CommandValues):
  }

  const { client } = await getGraphClientFromPublicConfig();
-  let result = await listResourcePermissions(client, {
-    appId: values["app-id"],
-    displayName: values["display-name"],
-  });
+  let result = await listResourcePermissions(
+    client,
+    values["app-id"],
+    values["display-name"],
+  );
  if (values.filter) {
    result = filterByPermissionName(result, values.filter);
  }
--- a/src/cli/commands/login.ts
+++ b/src/cli/commands/login.ts
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT

 import { login } from "../../azure/index.ts";
-import { loadPublicConfig } from "../../index.ts";
+import { loadConfig } from "../../index.ts";

 import type { CommandValues } from "./types.ts";

@@ -17,14 +17,14 @@ Options:
 }

 export async function runLoginCommand(values: CommandValues): Promise<unknown> {
-  const config = await loadPublicConfig();
-  return login({
-    tenantId: config.tenantId,
-    clientId: config.clientId,
-    resourcesCsv: values.resources,
-    useDeviceCode: Boolean(values["use-device-code"]),
-    noBrowser: Boolean(values["no-browser"]),
-    browser: values.browser,
-    browserProfile: values["browser-profile"],
-  });
+  const config = await loadConfig("public-config");
+  return login(
+    config.tenantId,
+    config.clientId,
+    values.resources,
+    Boolean(values["use-device-code"]),
+    Boolean(values["no-browser"]),
+    values.browser,
+    values["browser-profile"],
+  );
 }
--- a/src/cli/commands/logout.ts
+++ b/src/cli/commands/logout.ts
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT

 import { logout } from "../../azure/index.ts";
-import { loadPublicConfig } from "../../index.ts";
+import { loadConfig } from "../../index.ts";

 import type { CommandValues } from "./types.ts";

@@ -13,10 +13,6 @@ Options:
 }

 export async function runLogoutCommand(values: CommandValues): Promise<unknown> {
-  const config = await loadPublicConfig();
-  return logout({
-    tenantId: config.tenantId,
-    clientId: config.clientId,
-    clearAll: Boolean(values.all),
-  });
+  const config = await loadConfig("public-config");
+  return logout(config.tenantId, config.clientId, Boolean(values.all));
 }
--- a/src/cli/commands/rest.ts
+++ b/src/cli/commands/rest.ts
@@ -1,8 +1,8 @@
 // SPDX-License-Identifier: MIT

-import { acquireResourceTokenFromLogin } from "../../azure/index.ts";
+import { acquireResourceToken } from "../../azure/index.ts";
 import { getDevOpsApiToken } from "../../devops/index.ts";
-import { loadPublicConfig } from "../../index.ts";
+import { loadConfig } from "../../index.ts";

 import type { CommandValues } from "./types.ts";

@@ -54,20 +54,14 @@ async function getAutoAuthorizationHeader(url: URL): Promise<string | null> {
    return null;
  }

-  const config = await loadPublicConfig();
-  if (!config.tenantId) {
-    throw new Error("tenantId is required");
-  }
-  if (!config.clientId) {
-    throw new Error("clientId is required");
-  }
+  const config = await loadConfig("public-config");

  if (host === "management.azure.com") {
-    const result = await acquireResourceTokenFromLogin({
-      tenantId: config.tenantId,
-      clientId: config.clientId,
-      resource: "arm",
-    });
+    const result = await acquireResourceToken(
+      config.tenantId,
+      config.clientId,
+      "arm",
+    );
    const accessToken = result?.accessToken;
    if (!accessToken) {
      throw new Error("Failed to obtain AzureRM token");
--- a/src/cli/commands/shared.ts
+++ b/src/cli/commands/shared.ts
@@ -2,7 +2,7 @@

 import { minimatch } from "minimatch";

-import { loadPublicConfig } from "../../index.ts";
+import { loadConfig } from "../../index.ts";
 import { getGraphClient } from "../../graph/auth.ts";

 type PermissionRow = {
@@ -28,9 +28,6 @@ export function filterByDisplayName<T extends DisplayNameRow>(rows: T[], pattern
 }

 export async function getGraphClientFromPublicConfig(): Promise<{ client: any }> {
-  const config = await loadPublicConfig();
-  return getGraphClient({
-    tenantId: config.tenantId,
-    clientId: config.clientId,
-  });
+  const config = await loadConfig("public-config");
+  return getGraphClient(config.tenantId, config.clientId);
 }
--- a/src/create-pca.ts
+++ b/src/create-pca.ts
@@ -8,21 +8,16 @@ import readline from "node:readline";
 import { spawnSync } from "node:child_process";
 import { parseArgs } from "node:util";

-type RunAzOptions = {
-  quiet?: boolean;
-  allowFailure?: boolean;
-};
-
 type RunAzResult = {
  status: number;
  stdout: string;
  stderr: string;
 };

-function runAz(args: string[], options: RunAzOptions = {}): RunAzResult {
+function runAz(args: string[], quiet = false, allowFailure = false): RunAzResult {
  const result = spawnSync("az", args, {
    encoding: "utf8",
-    stdio: options.quiet
+    stdio: quiet
      ? ["ignore", "ignore", "ignore"]
      : ["ignore", "pipe", "pipe"],
  });
@@ -31,7 +26,7 @@ function runAz(args: string[], options: RunAzOptions = {}): RunAzResult {
    throw result.error;
  }

-  if (result.status !== 0 && options.allowFailure !== true) {
+  if (result.status !== 0 && allowFailure !== true) {
    throw new Error(
      (result.stderr || "").trim() || `az ${args.join(" ")} failed`,
    );
@@ -198,7 +193,7 @@ Options:
          "--enable-id-token-issuance",
          "true",
        ],
-        { quiet: true },
+        true,
      );
    } catch {
      console.error(
@@ -210,14 +205,12 @@ Options:
    fs.rmSync(tempDir, { recursive: true, force: true });
  }

-  runAz(["ad", "sp", "create", "--id", appId], {
-    quiet: true,
-    allowFailure: true,
-  });
+  runAz(["ad", "sp", "create", "--id", appId], true, true);

  const adminConsentResult = runAz(
    ["ad", "app", "permission", "admin-consent", "--id", appId],
-    { quiet: true, allowFailure: true },
+    true,
+    true,
  );
  if (adminConsentResult.status !== 0) {
    console.warn(
--- a/src/devops/index.ts
+++ b/src/devops/index.ts
@@ -14,11 +14,11 @@ type LoginInteractiveResult = {
 };

 export async function getDevOpsApiToken(tenantId: string, clientId: string): Promise<string> {
-  const result = await loginInteractive({
+  const result = await loginInteractive(
    tenantId,
    clientId,
-    scopes: AZURE_DEVOPS_SCOPES,
-  }) as LoginInteractiveResult;
+    AZURE_DEVOPS_SCOPES,
+  ) as LoginInteractiveResult;

  const accessToken = result?.accessToken;

--- a/src/graph/app.ts
+++ b/src/graph/app.ts
@@ -6,11 +6,6 @@ type GraphResult<T = GraphObject> = {
  value?: T[];
 };

-type AppQueryOptions = {
-  displayName?: string;
-  appId?: string;
-};
-
 type RequiredResourceAccessItem = {
  type?: string;
  id?: string;
@@ -38,11 +33,6 @@ type ServicePrincipal = {
  appRoles?: GraphPermission[];
 };

-type ResourcePermissionsOptions = {
-  appId?: string;
-  displayName?: string;
-};
-
 export async function getApp(client: any, displayName: string): Promise<GraphObject | null> {
  const result = await client
    .api("/applications")
@@ -68,8 +58,11 @@ export async function deleteApp(client: any, appObjectId: string): Promise<void>
  await client.api(`/applications/${appObjectId}`).delete();
 }

-export async function listApps(client: any, options: AppQueryOptions = {}): Promise<GraphObject[]> {
-  const { displayName, appId } = options;
+export async function listApps(
+  client: any,
+  displayName?: string,
+  appId?: string,
+): Promise<GraphObject[]> {
  let request = client.api("/applications");
  const filters: string[] = [];

@@ -219,8 +212,11 @@ export async function listAppGrants(client: any, appId: string): Promise<GraphOb
  return Array.isArray(grantsResult?.value) ? grantsResult.value : [];
 }

-export async function listResourcePermissions(client: any, options: ResourcePermissionsOptions = {}): Promise<Array<Record<string, unknown>>> {
-  const { appId, displayName } = options;
+export async function listResourcePermissions(
+  client: any,
+  appId?: string,
+  displayName?: string,
+): Promise<Array<Record<string, unknown>>> {
  if (!appId && !displayName) {
    throw new Error("appId or displayName is required");
  }
--- a/src/graph/auth.ts
+++ b/src/graph/auth.ts
@@ -1,24 +1,18 @@
 // SPDX-License-Identifier: MIT

 import { Client } from "@microsoft/microsoft-graph-client";
-import { acquireResourceTokenFromLogin } from "../azure/index.ts";
-
-type GraphClientOptions = {
-  tenantId?: string;
-  clientId?: string;
-};
+import { acquireResourceToken } from "../azure/index.ts";

 type GraphApiToken = {
  accessToken: string;
  [key: string]: unknown;
 };

-export async function getGraphClient({ tenantId, clientId }: GraphClientOptions): Promise<{ graphApiToken: GraphApiToken; client: any }> {
-  const graphApiToken = await acquireResourceTokenFromLogin({
-    tenantId,
-    clientId,
-    resource: "graph",
-  }) as GraphApiToken;
+export async function getGraphClient(
+  tenantId: string,
+  clientId: string,
+): Promise<{ graphApiToken: GraphApiToken; client: any }> {
+  const graphApiToken = await acquireResourceToken(tenantId, clientId, "graph") as GraphApiToken;

  const client = Client.init({
    authProvider: (done) => {
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,58 +1,36 @@
 // SPDX-License-Identifier: MIT

-import { readFile } from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
+import { validate as validateUuid } from "uuid";
+import { getConfig } from "@slawek/sk-tools";

 type Config = {
-  tenantId?: string;
-  clientId?: string;
+  tenantId: string;
+  clientId: string;
 };

-type ConfigCandidate = {
-  tenantId?: unknown;
-  clientId?: unknown;
-};
-
-export function getUserConfigDir(): string {
-  if (process.platform === "win32") {
-    return process.env.LOCALAPPDATA ?? path.join(os.homedir(), "AppData", "Local");
-  }
-
-  return process.env.XDG_CONFIG_HOME ?? path.join(os.homedir(), ".config");
-}
-
-async function loadConfig(configFileName: string): Promise<Config> {
-  if (typeof configFileName !== "string" || configFileName.trim() === "") {
+export async function loadConfig(configName: string): Promise<Config> {
+  if (typeof configName !== "string" || configName.trim() === "") {
    throw new Error(
-      'Invalid config file name. Expected a non-empty string like "public-config.json" or "confidential-config.json".',
+      'Invalid config name. Expected a non-empty string like "public-config" or "confidential-config".',
    );
  }

-  const envConfig: Config = {
+  const envConfig = {
    tenantId: process.env.AZURE_TENANT_ID,
    clientId: process.env.AZURE_CLIENT_ID,
  };

-  const configPath = path.join(getUserConfigDir(), "sk-az-tools", configFileName);
-  return readFile(configPath, "utf8")
-    .then((configJson) => JSON.parse(configJson) as ConfigCandidate)
-    .catch((err: unknown) => {
-      if ((err as { code?: string } | null)?.code === "ENOENT") {
-        return {} as ConfigCandidate;
-      }
-      throw err;
-    })
-    .then((json) => ({
-      tenantId: typeof json.tenantId === "string" && json.tenantId ? json.tenantId : envConfig.tenantId,
-      clientId: typeof json.clientId === "string" && json.clientId ? json.clientId : envConfig.clientId,
-    }));
-}
+  const json = (await getConfig("sk-az-tools", configName)) as Record<string, unknown>;

-export function loadPublicConfig(): Promise<Config> {
-  return loadConfig("public-config.json");
-}
+  const tenantId = (typeof json.tenantId === "string" && json.tenantId ? json.tenantId : envConfig.tenantId) ?? "";
+  const clientId = (typeof json.clientId === "string" && json.clientId ? json.clientId : envConfig.clientId) ?? "";

-export function loadConfidentialConfig(): Promise<Config> {
-  return loadConfig("confidential-config.json");
+  if (!validateUuid(tenantId ?? "") || !validateUuid(clientId ?? "")) {
+    throw new Error("tenantId and clientId must be valid GUIDs.");
+  }
+
+  return {
+    tenantId,
+    clientId,
+  };
 }
Author	SHA1	Message	Date
Slawomir Koszewski	059590fde4	fix: removed unefficient AI generated call pattern using one-use object types created for 2-3 variable passing. Some checks failed build / build (push) Failing after 13s Details	2026-03-07 16:33:13 +01:00
Slawomir Koszewski	63029d1119	refactor: streamline session state management using configuration functions	2026-03-07 15:36:48 +01:00
Slawomir Koszewski	aa6f9e24f8	Refactored configuration loading function.	2026-03-07 15:18:46 +01:00