Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
xero-node
Advanced tools
Version 4.x of Xero NodeJS SDK only supports oAuth2 authentication and the following API sets.
An early release in a separate package is availalbe bank feeds API.
We've moved this code into the oauth1 branch.
Follow these steps to create your Xero app
This SDK's functionality is majority generated from our OpenAPISpec.
The exception is the src/xeroClient.ts
which contains the typescript that is unique to this repository. Contributions are welcome but please keep in mind that majority of SDK is auto-generated from the OpenAPISpec. We try to get changes in that projects to be released on a reasonable cadence.
Read more about our process in maintaining our suite of SDK's
We are working to build out a more robust test suite, and currently just have tests setup for our xeroClient.ts - PR's will now run against a CI build - and as we add more tests to this project community collaboration will be easier to incorporate.
npm test
We use OAuth2.0 to authenticate requests against our API. Each API call will need to have a valid token populated on the API client to succeed. In a tokenSet will be an access_token which lasts for 30 minutes, and a refresh_token which lasts for 30 days. If you don't want to require your users to re-authenticate each time you want to call the API on their behalf, you will need a datastore for these tokens and will be required to refresh the tokens at least once per 30 days to avoid expiration. The offline_access
scope is required for refresh tokens to work.
In Xero a user can belong to multiple organisations. Tokens are ultimately associated with a Xero user, who can belong to multiple tenants/organisations. If your user 'Allows Access' to multiple organisations, be hyper aware of which tenantId
you are passing to each function.
Step 1: Initialize the XeroClient
, and redirect user to xero auth flow
Step 2: Call apiCallback
to get your tokenSet
Step 3: Call updateTenats
to populate additional tenant data
initialize()
the client to set up the 'openid-client'consentUrl
const port = process.env.PORT || 3000
const xero = new XeroClient({
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
redirectUris: [`http://localhost:${port}/callback`],
scopes: 'openid profile email accounting.transactions offline_access'.split(" ")
});
await xero.initialize();
let consentUrl = await xero.buildConsentUrl();
res.redirect(consentUrl);
Call apiCallback
function with the response url which returns a tokenSet you can save in your datastore for future calls.
The tokenSet
can also be accessed from the client as xero.readTokenSet()
.
const tokenSet = await xero.apiCallback(req.url);
The tokenSet
will contain your access_token and refresh_token as well as other information regarding your connection.
{
id_token: 'eyJhxxxx.yyy',
access_token: 'eyJxxx.yyy.zzz',
expires_at: 1231231234,
token_type: 'Bearer',
refresh_token: 'xxxyyyyzzz',
scope: 'openid profile email accounting.settings accounting.reports.read accounting.journals.read accounting.contacts accounting.attachments accounting.transactions offline_access',
session_state: 'xxx.yyy'
}
Populate the XeroClient's active tenant data
For most integrations you will always want to display the org name and additional metadata about the connected org. The /connections
endpoint does not currently serialize that data so requires developers to make additional api calls for each org that your user connects to surface that information.
The updatedTenants
function will query & nest the additional orgData results in your xeroClient under each connection/tenant object and return the array of tenants.
const tenants = await xero.updateTenants()
console.log(tenants || xero.tenants)
[
{
id: 'xxx-yyy-zzz-xxx-yyy',
tenantId: 'xxx-yyy-zzz-xxx-yyy',
tenantType: 'ORGANISATION',
createdDateUtc: 'UTC-DateString',
updatedDateUtc: 'UTC-DateString',
orgData: {
organisationID: 'xxx-yyy-zzz-xxx-yyy',
name: 'My first org',
version: 'US',
shortCode: '!2h37s',
...
}
},
{
id: 'xxx-yyy-zzz-xxx-yyy',
tenantId: 'xxx-yyy-zzz-xxx-yyy',
tenantType: 'ORGANISATION',
createdDateUtc: 'UTC-DateString',
updatedDateUtc: 'UTC-DateString',
orgData: {
organisationID: 'xxx-yyy-zzz-xxx-yyy',
name: 'My second org',
version: 'AUS',
shortCode: '!yrcgp',
...
}
}
]
Once you have a valid token saved you can set the token on the client without going through the callback by calling setTokenSet
.
For example - once a user authenticates you can refresh the token (which will also set the new token on the client) to make authorized api calls.
const tokenSet = getTokenFromDatabase(userId) // example function name
await xero.setTokenSet(tokenSet)
// you can call this to fetch/set your connected tenant data on your client, or you could also store this information in a database
await xero.updateTenants()
await xero.accountingApi.getInvoices(xero.tenants[0].tenantId)
Full API documentation: https://xeroapi.github.io/xero-node/v4/
const activeTenantId = xero.tenants[0].tenantId
const getOrgs = await xero.accountingApi.getOrganisations(activeTenantId)
const orgCountry= getOrgs.body.organisations[0].countryCode
const contactsResponse = await xero.accountingApi.getContacts(activeTenantId)
const contactId = getContactsResponse.body.contacts[0].contactID
---
import { XeroClient, Invoice } from "xero-node";
const invoices = {
invoices: [
{
type: Invoice.TypeEnum.ACCREC,
contact: {
contactID: contactId
},
lineItems: [
{
description: "Acme Tires",
quantity: 2.0,
unitAmount: 20.0,
accountCode: "500",
taxType: "NONE",
lineAmount: 40.0
}
],
date: "2019-03-11",
dueDate: "2018-12-10",
reference: "Website Design",
status: Invoice.StatusEnum.AUTHORISED
}
]
};
const createdInvoice = await xero.accountingApi.createInvoices(activeTenantId, invoices)
For more robust examples in how to utilize our accounting api we have (roughly) every single endpoint mapped out with an example in our sample app - complete with showing the Xero data dependencies required for interaction with many objects ( ie. types, assoc. accounts, tax types, date formats).
Just visit the repo https://github.com/XeroAPI/xero-node-oauth2-app configure your credentials & get started.
// xero.tenants
xero.tenants
// buildConsentUrl()
await xero.buildConsentUrl()
// readTokenSet()
const tokenSet = await xero.readTokenSet();
// tokenSet.expired()
if (tokenSet.expired()) {
// refresh etc.
}
// refreshToken()
const validTokenSet = await xero.refreshToken()
// refreshTokenUsingTokenSet()
await xero.refreshTokenUsingTokenSet(tokenSet)
// disconnect()
await xero.disconnect(xero.tenants[0].id)
// readIdTokenClaims()
await xero.readIdTokenClaims()
// readTokenSet()
await xero.readTokenSet()
// setTokenSet(tokenSet)
const tokenSet = await xero.readTokenSet()
await xero.setTokenSet(tokenSet)
FAQs
Xero NodeJS OAuth 2.0 client for xero-node
The npm package xero-node receives a total of 56,250 weekly downloads. As such, xero-node popularity was classified as popular.
We found that xero-node demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.