@adaptic/backend-legacy 0.0.972 → 0.0.974

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/client.cjs +9 -3
  2. package/esm/auth/token-verifier.d.ts +143 -0
  3. package/esm/auth/token-verifier.d.ts.map +1 -0
  4. package/esm/auth/token-verifier.js.map +1 -0
  5. package/esm/auth/token-verifier.mjs +395 -0
  6. package/esm/client.d.ts.map +1 -1
  7. package/esm/client.js.map +1 -1
  8. package/esm/client.mjs +9 -3
  9. package/esm/middleware/auth.d.ts +28 -2
  10. package/esm/middleware/auth.d.ts.map +1 -1
  11. package/esm/middleware/auth.js.map +1 -1
  12. package/esm/middleware/auth.mjs +53 -27
  13. package/esm/middleware/rate-limiter.js.map +1 -1
  14. package/esm/middleware/rate-limiter.mjs +4 -4
  15. package/package.json +1 -1
  16. package/server.cjs +113 -79
package/client.cjs CHANGED
@@ -221,10 +221,16 @@ async function getAuthToken() {
221
221
  }
222
222
  // Validate the token format
223
223
  if (token && !isValidJwtFormat(token)) {
224
- // Check if it looks like a Google OAuth token
224
+ // Opaque OAuth access tokens (`ya29.…`) are NOT acceptable backend
225
+ // credentials — the backend's `verifyBackendToken` rejects them with
226
+ // `opaque_access_token_rejected`. Refuse to send them so callers see a
227
+ // clear local warning instead of an opaque 401 from the server.
225
228
  if (token.startsWith('ya29.')) {
226
- // Google OAuth tokens are valid, pass through
227
- return token;
229
+ logger_1.logger.warn('[Apollo Client] Refusing to send a Google OAuth access token (ya29.…) ' +
230
+ 'to the backend. These tokens cannot be verified offline and are ' +
231
+ 'rejected by the backend. Use a backend-issued JWT or SERVER_AUTH_TOKEN ' +
232
+ 'instead.');
233
+ return '';
228
234
  }
229
235
  logger_1.logger.warn('[Apollo Client] Token does not appear to be a valid JWT format. ' +
230
236
  'Expected format: header.payload.signature (three base64url-encoded parts). ' +
package/esm/auth/token-verifier.d.ts ADDED
@@ -0,0 +1,143 @@
1
+ /**
2
+ * Verified identity for backend tokens.
3
+ *
4
+ * `verifyBackendToken` is the SOLE entry point for establishing principal
5
+ * identity from a bearer token presented at the GraphQL HTTP, GraphQL WebSocket,
6
+ * or Express middleware layer of `@adaptic/backend-legacy`.
7
+ *
8
+ * It rejects, in priority order:
9
+ *
10
+ * 1. **Server-to-server static token.** `process.env.SERVER_AUTH_TOKEN`
11
+ * exact match -> `{ kind: "server" }`. Configured via the environment;
12
+ * never read at request time without a non-empty env value.
13
+ * 2. **App-issued JWT.** `jwt.verify(token, jwtSecret)` against the shared
14
+ * backend `jwtSecret`. Returns `{ kind: "user", sub, roles }` or
15
+ * `{ kind: "admin", … }` when the JWT carries an admin role.
16
+ * 3. **Google ID token.** `OAuth2Client.verifyIdToken({ idToken, audience })`
17
+ * against the configured Google client IDs. Note that an *access* token
18
+ * (`ya29.…`) is NOT an ID token and cannot be verified offline — those
19
+ * are rejected explicitly with reason `opaque_access_token_rejected`.
20
+ *
21
+ * On every failure path, throws an `AuthError` whose `reason` is a finite
22
+ * discriminated string. Callers map `AuthError` to HTTP 401 / GraphQL
23
+ * `UNAUTHENTICATED` extension code at the transport layer.
24
+ *
25
+ * No path silently downgrades to an unverified principal. No path returns
26
+ * `null`. No path logs the token value — only a length and an 8-char prefix
27
+ * masked with an ellipsis.
28
+ *
29
+ * @see backend-legacy/src/auth/__tests__/token-verifier.test.ts for full
30
+ * coverage of every reason branch.
31
+ */
32
+ import jwt from 'jsonwebtoken';
33
+ /**
34
+ * Finite, discriminated set of reasons `verifyBackendToken` can fail.
35
+ *
36
+ * The set is closed by design: every new failure mode added to the verifier
37
+ * must be classified into one of these reasons (or a new reason added here
38
+ * with explicit consumer-side handling).
39
+ */
40
+ export type AuthErrorReason = 'malformed' | 'expired' | 'bad_audience' | 'bad_signature' | 'opaque_access_token_rejected' | 'misconfigured';
41
+ /**
42
+ * Backend principal — the verified caller identity attached to a request.
43
+ *
44
+ * - `server`: trusted server-to-server caller (Next.js route handler, internal
45
+ * service). Authenticated by the static `SERVER_AUTH_TOKEN`.
46
+ * - `user`: end-user authenticated via app-issued JWT or Google ID token.
47
+ * - `admin`: same as `user` but with an `admin` role explicitly listed.
48
+ *
49
+ * The discriminator is `kind`. Callers `switch` on `kind` and the TypeScript
50
+ * compiler enforces exhaustive handling.
51
+ */
52
+ export type BackendPrincipal = {
53
+ kind: 'server';
54
+ } | {
55
+ kind: 'user';
56
+ sub: string;
57
+ email?: string;
58
+ roles: string[];
59
+ } | {
60
+ kind: 'admin';
61
+ sub: string;
62
+ email?: string;
63
+ roles: string[];
64
+ };
65
+ /**
66
+ * Typed authentication error. The `reason` discriminates the failure case;
67
+ * callers may map `reason` to a transport-specific error code (HTTP 401,
68
+ * GraphQL `UNAUTHENTICATED`) and a structured log entry.
69
+ *
70
+ * Never include token contents in messages. The `reason` is sufficient.
71
+ */
72
+ export declare class AuthError extends Error {
73
+ readonly code: 'invalid_token';
74
+ readonly reason: AuthErrorReason;
75
+ constructor(code: 'invalid_token', reason: AuthErrorReason, message?: string);
76
+ }
77
+ /**
78
+ * Resolve the comma-separated list of accepted Google OAuth client IDs from
79
+ * `GOOGLE_OAUTH_CLIENT_IDS`.
80
+ *
81
+ * - In production (`NODE_ENV=production`): if the env is missing or empty,
82
+ * throw `AuthError("invalid_token", "misconfigured")` at the FIRST call.
83
+ * This serialises the failure into the request response rather than crashing
84
+ * the process; the boot-time invariant check at `assertGoogleAudienceConfiguredForProd`
85
+ * handles fail-fast-at-startup.
86
+ * - In dev/test: log a single warning and return `[]`. With an empty audience
87
+ * list, the Google ID-token verification branch will always fail — acceptable
88
+ * in non-prod because trusted paths use `SERVER_AUTH_TOKEN` or app JWTs.
89
+ *
90
+ * @internal exported for testing
91
+ */
92
+ export declare function googleAudienceList(): string[];
93
+ /**
94
+ * Boot-time invariant: in production, require `GOOGLE_OAUTH_CLIENT_IDS` to be
95
+ * a non-empty allowlist. Call this once during server startup so the process
96
+ * refuses to boot with an invalid identity configuration.
97
+ *
98
+ * Throws a plain `Error` (not `AuthError`) so the startup harness logs it as
99
+ * a fatal config error rather than a per-request auth failure.
100
+ */
101
+ export declare function assertGoogleAudienceConfiguredForProd(): void;
102
+ /**
103
+ * Test-only escape hatch to reset the cached audience list. Wired into the
104
+ * public surface so tests in this package can mutate env between cases and
105
+ * have the next call to `googleAudienceList()` re-read the environment.
106
+ *
107
+ * @internal
108
+ */
109
+ export declare function _resetGoogleAudienceCacheForTests(): void;
110
+ /**
111
+ * Extract a roles array from a verified JWT payload, normalising the two
112
+ * shapes the platform emits:
113
+ * - `{ roles: ["user", "admin"] }` (preferred)
114
+ * - `{ role: "admin" }` (legacy single-string)
115
+ *
116
+ * Returns an empty array when neither claim is present. The Apollo `AuthChecker`
117
+ * treats an empty roles array as "authenticated user with no privileged role".
118
+ */
119
+ export declare function parseRolesFromJWT(payload: jwt.JwtPayload | string | undefined): string[];
120
+ /**
121
+ * Verify a bearer token and return a typed `BackendPrincipal`.
122
+ *
123
+ * Throws `AuthError("invalid_token", reason)` on every failure path. Callers
124
+ * are required to handle the throw — there is no silent fallback to an
125
+ * unauthenticated principal.
126
+ *
127
+ * Structural validation pipeline:
128
+ *
129
+ * - Empty or whitespace-only -> `malformed`.
130
+ * - Exact match with `SERVER_AUTH_TOKEN` -> `{ kind: "server" }`.
131
+ * - Single segment (no dots) -> `opaque_access_token_rejected`. This is the
132
+ * structural catch for OAuth access tokens, which cannot be verified offline.
133
+ * - Exactly 3 dot-separated segments -> attempt local JWT verify, then Google
134
+ * ID-token verify. The Google branch only runs if the local JWT branch
135
+ * fails AND the configured Google audience list is non-empty.
136
+ * - Any other segment count -> `malformed`.
137
+ *
138
+ * @param token Raw bearer token (the value after `Bearer ` in the header).
139
+ * @returns A verified `BackendPrincipal` on success.
140
+ * @throws `AuthError` on any failure.
141
+ */
142
+ export declare function verifyBackendToken(token: string): Promise<BackendPrincipal>;
143
+ //# sourceMappingURL=token-verifier.d.ts.map
package/esm/auth/token-verifier.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"token-verifier.d.ts","sourceRoot":"","sources":["../../../src/auth/token-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,GAA6C,MAAM,cAAc,CAAC;AASzE;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,GACvB,WAAW,GACX,SAAS,GACT,cAAc,GACd,eAAe,GACf,8BAA8B,GAC9B,eAAe,CAAC;AAEpB;;;;;;;;;;GAUG;AACH,MAAM,MAAM,gBAAgB,GACxB;IAAE,IAAI,EAAE,QAAQ,CAAA;CAAE,GAClB;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,GAC9D;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEpE;;;;;;GAMG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC,SAAgB,IAAI,EAAE,eAAe,CAAC;IACtC,SAAgB,MAAM,EAAE,eAAe,CAAC;gBAE5B,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,eAAe,EAAE,OAAO,CAAC,EAAE,MAAM;CAQ7E;AAcD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,EAAE,CAkC7C;AAED;;;;;;;GAOG;AACH,wBAAgB,qCAAqC,IAAI,IAAI,CAgB5D;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,IAAI,IAAI,CAGxD;AAwBD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,GAAG,CAAC,UAAU,GAAG,MAAM,GAAG,SAAS,GAC3C,MAAM,EAAE,CAiBV;AAiCD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,gBAAgB,CAAC,CA+K3B"}
package/esm/auth/token-verifier.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"token-verifier.js","sourceRoot":"","sources":["../../../src/auth/token-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,GAAG,EAAE,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EAAE,YAAY,EAAoB,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAqCzC;;;;;;GAMG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClB,IAAI,CAAkB;IACtB,MAAM,CAAkB;IAExC,YAAY,IAAqB,EAAE,MAAuB,EAAE,OAAgB;QAC1E,KAAK,CAAC,OAAO,IAAI,GAAG,IAAI,KAAK,MAAM,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,2EAA2E;QAC3E,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;CACF;AAED,gFAAgF;AAChF,2CAA2C;AAC3C,gFAAgF;AAEhF;;;;GAIG;AACH,IAAI,kBAAwC,CAAC;AAC7C,IAAI,0BAA0B,GAAG,KAAK,CAAC;AAEvC;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,kBAAkB;IAChC,IAAI,0BAA0B,EAAE,CAAC;QAC/B,OAAO,kBAAkB,IAAI,EAAE,CAAC;IAClC,CAAC;IAED,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAErD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,IAAI,MAAM,EAAE,CAAC;YACX,oEAAoE;YACpE,6CAA6C;YAC7C,MAAM,IAAI,SAAS,CACjB,eAAe,EACf,eAAe,EACf,kEAAkE,CACnE,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CACT,yJAAyJ,CAC1J,CAAC;QACF,kBAAkB,GAAG,EAAE,CAAC;QACxB,0BAA0B,GAAG,IAAI,CAAC;QAClC,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAED,MAAM,IAAI,GAAG,GAAG;SACb,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE/B,kBAAkB,GAAG,IAAI,CAAC;IAC1B,0BAA0B,GAAG,IAAI,CAAC;IAClC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qCAAqC;IACnD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrD,IAAI,CAAC,MAAM;QAAE,OAAO;IAEpB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,GAAG,GACP,uEAAuE;YACvE,mEAAmE;YACnE,4EAA4E;YAC5E,0DAA0D,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,MAAM,IAAI,KAAK,CACb,0HAA0H,CAC3H,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iCAAiC;IAC/C,kBAAkB,GAAG,SAAS,CAAC;IAC/B,0BAA0B,GAAG,KAAK,CAAC;AACrC,CAAC;AAED,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF;;;;GAIG;AACH,IAAI,WAAqC,CAAC;AAE1C,SAAS,cAAc;IACrB,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,WAAW,GAAG,IAAI,YAAY,EAAE,CAAC;IACnC,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAA4C;IAE5C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IAEvD,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,MAAM,UAAU,GAAI,OAA+B,CAAC,KAAK,CAAC;IAC1D,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAI,OAA8B,CAAC,IAAI,CAAC;IACvD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,QAAQ,KAAK,CAAC,MAAM,GAAG,CAAC;IACtD,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,SAAS,KAAK,CAAC,MAAM,GAAG,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,KAAK,YAAY,iBAAiB;QAAE,OAAO,SAAS,CAAC;IACzD,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAChD,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAC7D,OAAO,WAAW,CAAC;QACrB,CAAC;QACD,OAAO,eAAe,CAAC;IACzB,CAAC;IACD,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa;IAEb,6EAA6E;IAC7E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACpD,CAAC;IAED,6EAA6E;IAC7E,0EAA0E;IAC1E,0EAA0E;IAC1E,gDAAgD;IAChD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACtD,IACE,OAAO,eAAe,KAAK,QAAQ;QACnC,eAAe,CAAC,MAAM,GAAG,CAAC;QAC1B,KAAK,KAAK,eAAe,EACzB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IAC5B,CAAC;IAED,8EAA8E;IAC9E,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAElC,sEAAsE;IACtE,yEAAyE;IACzE,6EAA6E;IAC7E,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE;YACjD,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC;SAChC,CAAC,CAAC;QACH,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,8BAA8B,CAAC,CAAC;IACvE,CAAC;IAED,wEAAwE;IACxE,4EAA4E;IAC5E,6BAA6B;IAC7B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE;YAC7C,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC;YAC/B,YAAY,EAAE,QAAQ,CAAC,MAAM;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACpD,CAAC;IAED,6EAA6E;IAC7E,yEAAyE;IACzE,wEAAwE;IACxE,8EAA8E;IAC9E,IAAI,eAA4C,CAAC;IACjD,IAAI,CAAC;QACH,sEAAsE;QACtE,kEAAkE;QAClE,oEAAoE;QACpE,mEAAmE;QACnE,sEAAsE;QACtE,mDAAmD;QACnD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACxE,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,wEAAwE;YACxE,uDAAuD;YACvD,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QACtE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,6DAA6D;YAC7D,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,UAAU,GAAI,OAA+B,CAAC,KAAK,CAAC;QAC1D,MAAM,KAAK,GACT,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;YACrD,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,SAAS,CAAC;QAEhB,OAAO,OAAO;YACZ,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE;YACtC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,qEAAqE;QACrE,wCAAwC;QACxC,IAAI,CAAC,YAAY,SAAS,EAAE,CAAC;YAC3B,MAAM,CAAC,CAAC;QACV,CAAC;QACD,eAAe,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QACtC,0EAA0E;QAC1E,uEAAuE;QACvE,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QACD,iEAAiE;IACnE,CAAC;IAED,6EAA6E;IAC7E,wEAAwE;IACxE,wEAAwE;IACxE,+DAA+D;IAC/D,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;IACtC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,mEAAmE;QACnE,MAAM,IAAI,SAAS,CACjB,eAAe,EACf,eAAe,IAAI,eAAe,CACnC,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,0EAA0E;IAC1E,wEAAwE;IACxE,uCAAuC;IACvC,IAAI,YAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,cAAc,EAAE,CAAC,aAAa,CAAC;YAClD,OAAO,EAAE,KAAK;YACd,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,6DAA6D;QAC7D,4EAA4E;QAC5E,sEAAsE;QACtE,6DAA6D;QAC7D,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE;YACxD,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC;YAC/B,YAAY,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YACxD,cAAc,EAAE,eAAe,IAAI,KAAK;SACzC,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YAC/D,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;QACxD,CAAC;QACD,6DAA6D;QAC7D,kEAAkE;QAClE,mEAAmE;QACnE,mEAAmE;QACnE,mEAAmE;QACnE,gEAAgE;QAChE,gEAAgE;QAChE,mEAAmE;QACnE,kEAAkE;QAClE,oEAAoE;QACpE,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,eAAe,IAAI,cAAc,CAAC,CAAC;IAC1E,CAAC;IAED,2EAA2E;IAC3E,MAAM,OAAO,GAAG,YAAY,EAAE,UAAU,EAAE,EAAE,CAAC;IAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;YAC7D,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC;SAChC,CAAC,CAAC;QACH,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChD,yDAAyD;QACzD,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;YACrD,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC;SAChC,CAAC,CAAC;QACH,MAAM,IAAI,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;IACxD,CAAC;IAED,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,GAAG;QACH,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACpE,KAAK,EAAE,CAAC,MAAM,CAAC;KAChB,CAAC;AACJ,CAAC"}
package/esm/auth/token-verifier.mjs ADDED
@@ -0,0 +1,395 @@
1
+ /**
2
+ * Verified identity for backend tokens.
3
+ *
4
+ * `verifyBackendToken` is the SOLE entry point for establishing principal
5
+ * identity from a bearer token presented at the GraphQL HTTP, GraphQL WebSocket,
6
+ * or Express middleware layer of `@adaptic/backend-legacy`.
7
+ *
8
+ * It rejects, in priority order:
9
+ *
10
+ * 1. **Server-to-server static token.** `process.env.SERVER_AUTH_TOKEN`
11
+ * exact match -> `{ kind: "server" }`. Configured via the environment;
12
+ * never read at request time without a non-empty env value.
13
+ * 2. **App-issued JWT.** `jwt.verify(token, jwtSecret)` against the shared
14
+ * backend `jwtSecret`. Returns `{ kind: "user", sub, roles }` or
15
+ * `{ kind: "admin", … }` when the JWT carries an admin role.
16
+ * 3. **Google ID token.** `OAuth2Client.verifyIdToken({ idToken, audience })`
17
+ * against the configured Google client IDs. Note that an *access* token
18
+ * (`ya29.…`) is NOT an ID token and cannot be verified offline — those
19
+ * are rejected explicitly with reason `opaque_access_token_rejected`.
20
+ *
21
+ * On every failure path, throws an `AuthError` whose `reason` is a finite
22
+ * discriminated string. Callers map `AuthError` to HTTP 401 / GraphQL
23
+ * `UNAUTHENTICATED` extension code at the transport layer.
24
+ *
25
+ * No path silently downgrades to an unverified principal. No path returns
26
+ * `null`. No path logs the token value — only a length and an 8-char prefix
27
+ * masked with an ellipsis.
28
+ *
29
+ * @see backend-legacy/src/auth/__tests__/token-verifier.test.ts for full
30
+ * coverage of every reason branch.
31
+ */
32
+ import jwt, { JsonWebTokenError, TokenExpiredError } from 'jsonwebtoken';
33
+ import { OAuth2Client } from 'google-auth-library';
34
+ import { jwtSecret } from '../config/jwtConfig.mjs';
35
+ import { logger } from '../utils/logger.mjs';
36
+ /**
37
+ * Typed authentication error. The `reason` discriminates the failure case;
38
+ * callers may map `reason` to a transport-specific error code (HTTP 401,
39
+ * GraphQL `UNAUTHENTICATED`) and a structured log entry.
40
+ *
41
+ * Never include token contents in messages. The `reason` is sufficient.
42
+ */
43
+ export class AuthError extends Error {
44
+ code;
45
+ reason;
46
+ constructor(code, reason, message) {
47
+ super(message ?? `${code}: ${reason}`);
48
+ this.name = 'AuthError';
49
+ this.code = code;
50
+ this.reason = reason;
51
+ // Restore prototype chain for `instanceof` after transpilation to ES5/CJS.
52
+ Object.setPrototypeOf(this, AuthError.prototype);
53
+ }
54
+ }
55
+ // -----------------------------------------------------------------------------
56
+ // Configuration: Google audience allowlist
57
+ // -----------------------------------------------------------------------------
58
+ /**
59
+ * Sentinel for the lazy-cached Google audience list. We resolve at first call
60
+ * rather than at module load so tests can set `process.env.GOOGLE_OAUTH_CLIENT_IDS`
61
+ * before importing this module without import-order dance.
62
+ */
63
+ let cachedAudienceList;
64
+ let cachedAudienceListResolved = false;
65
+ /**
66
+ * Resolve the comma-separated list of accepted Google OAuth client IDs from
67
+ * `GOOGLE_OAUTH_CLIENT_IDS`.
68
+ *
69
+ * - In production (`NODE_ENV=production`): if the env is missing or empty,
70
+ * throw `AuthError("invalid_token", "misconfigured")` at the FIRST call.
71
+ * This serialises the failure into the request response rather than crashing
72
+ * the process; the boot-time invariant check at `assertGoogleAudienceConfiguredForProd`
73
+ * handles fail-fast-at-startup.
74
+ * - In dev/test: log a single warning and return `[]`. With an empty audience
75
+ * list, the Google ID-token verification branch will always fail — acceptable
76
+ * in non-prod because trusted paths use `SERVER_AUTH_TOKEN` or app JWTs.
77
+ *
78
+ * @internal exported for testing
79
+ */
80
+ export function googleAudienceList() {
81
+ if (cachedAudienceListResolved) {
82
+ return cachedAudienceList ?? [];
83
+ }
84
+ const raw = (process.env.GOOGLE_OAUTH_CLIENT_IDS ?? '').trim();
85
+ const isProd = process.env.NODE_ENV === 'production';
86
+ if (raw.length === 0) {
87
+ if (isProd) {
88
+ // Do not cache the empty list in prod — we want subsequent verifier
89
+ // calls to surface the misconfiguration too.
90
+ throw new AuthError('invalid_token', 'misconfigured', 'GOOGLE_OAUTH_CLIENT_IDS is required in production but is not set');
91
+ }
92
+ logger.warn('[auth] GOOGLE_OAUTH_CLIENT_IDS is not set; Google ID-token verification will reject all tokens until configured. This is acceptable for local dev only.');
93
+ cachedAudienceList = [];
94
+ cachedAudienceListResolved = true;
95
+ return cachedAudienceList;
96
+ }
97
+ const list = raw
98
+ .split(',')
99
+ .map((s) => s.trim())
100
+ .filter((s) => s.length > 0);
101
+ cachedAudienceList = list;
102
+ cachedAudienceListResolved = true;
103
+ return list;
104
+ }
105
+ /**
106
+ * Boot-time invariant: in production, require `GOOGLE_OAUTH_CLIENT_IDS` to be
107
+ * a non-empty allowlist. Call this once during server startup so the process
108
+ * refuses to boot with an invalid identity configuration.
109
+ *
110
+ * Throws a plain `Error` (not `AuthError`) so the startup harness logs it as
111
+ * a fatal config error rather than a per-request auth failure.
112
+ */
113
+ export function assertGoogleAudienceConfiguredForProd() {
114
+ const isProd = process.env.NODE_ENV === 'production';
115
+ if (!isProd)
116
+ return;
117
+ const raw = (process.env.GOOGLE_OAUTH_CLIENT_IDS ?? '').trim();
118
+ if (raw.length === 0) {
119
+ const msg = '[SECURITY] FATAL: GOOGLE_OAUTH_CLIENT_IDS is required in production. ' +
120
+ 'Set it to a comma-separated allowlist of Google OAuth client IDs ' +
121
+ '(e.g. "1234.apps.googleusercontent.com,5678.apps.googleusercontent.com"). ' +
122
+ 'Without this, no Google ID token can be safely verified.';
123
+ logger.error(msg);
124
+ throw new Error('GOOGLE_OAUTH_CLIENT_IDS is required in production. Set it to a comma-separated list of accepted Google OAuth client IDs.');
125
+ }
126
+ }
127
+ /**
128
+ * Test-only escape hatch to reset the cached audience list. Wired into the
129
+ * public surface so tests in this package can mutate env between cases and
130
+ * have the next call to `googleAudienceList()` re-read the environment.
131
+ *
132
+ * @internal
133
+ */
134
+ export function _resetGoogleAudienceCacheForTests() {
135
+ cachedAudienceList = undefined;
136
+ cachedAudienceListResolved = false;
137
+ }
138
+ // -----------------------------------------------------------------------------
139
+ // OAuth2Client singleton
140
+ // -----------------------------------------------------------------------------
141
+ /**
142
+ * Lazy-instantiated `OAuth2Client`. Constructing one is cheap, but doing it at
143
+ * module load would force the test suite to mock `google-auth-library` before
144
+ * any unrelated import path touches this module. Lazy avoids that fragility.
145
+ */
146
+ let oauthClient;
147
+ function getOAuthClient() {
148
+ if (!oauthClient) {
149
+ oauthClient = new OAuth2Client();
150
+ }
151
+ return oauthClient;
152
+ }
153
+ // -----------------------------------------------------------------------------
154
+ // Helpers
155
+ // -----------------------------------------------------------------------------
156
+ /**
157
+ * Extract a roles array from a verified JWT payload, normalising the two
158
+ * shapes the platform emits:
159
+ * - `{ roles: ["user", "admin"] }` (preferred)
160
+ * - `{ role: "admin" }` (legacy single-string)
161
+ *
162
+ * Returns an empty array when neither claim is present. The Apollo `AuthChecker`
163
+ * treats an empty roles array as "authenticated user with no privileged role".
164
+ */
165
+ export function parseRolesFromJWT(payload) {
166
+ if (!payload || typeof payload === 'string')
167
+ return [];
168
+ const out = [];
169
+ const rolesClaim = payload.roles;
170
+ if (Array.isArray(rolesClaim)) {
171
+ for (const r of rolesClaim) {
172
+ if (typeof r === 'string' && r.length > 0)
173
+ out.push(r);
174
+ }
175
+ }
176
+ const roleClaim = payload.role;
177
+ if (typeof roleClaim === 'string' && roleClaim.length > 0) {
178
+ if (!out.includes(roleClaim))
179
+ out.push(roleClaim);
180
+ }
181
+ return out;
182
+ }
183
+ /**
184
+ * Redact a token for safe logging. Returns the first 8 characters followed by
185
+ * an ellipsis and the total length. Never returns the full token.
186
+ */
187
+ function redactToken(token) {
188
+ if (!token)
189
+ return '<empty>';
190
+ if (token.length <= 8)
191
+ return `<len=${token.length}>`;
192
+ return `${token.slice(0, 8)}…<len=${token.length}>`;
193
+ }
194
+ /**
195
+ * Classify a JWT verification failure into a discriminated `AuthErrorReason`.
196
+ * `jsonwebtoken` throws specific subclasses we can branch on; falls back to
197
+ * `bad_signature` for the generic case.
198
+ */
199
+ function classifyJwtError(error) {
200
+ if (error instanceof TokenExpiredError)
201
+ return 'expired';
202
+ if (error instanceof JsonWebTokenError) {
203
+ const msg = (error.message || '').toLowerCase();
204
+ if (msg.includes('malformed') || msg.includes('jwt must be')) {
205
+ return 'malformed';
206
+ }
207
+ return 'bad_signature';
208
+ }
209
+ return 'bad_signature';
210
+ }
211
+ // -----------------------------------------------------------------------------
212
+ // Main entry point
213
+ // -----------------------------------------------------------------------------
214
+ /**
215
+ * Verify a bearer token and return a typed `BackendPrincipal`.
216
+ *
217
+ * Throws `AuthError("invalid_token", reason)` on every failure path. Callers
218
+ * are required to handle the throw — there is no silent fallback to an
219
+ * unauthenticated principal.
220
+ *
221
+ * Structural validation pipeline:
222
+ *
223
+ * - Empty or whitespace-only -> `malformed`.
224
+ * - Exact match with `SERVER_AUTH_TOKEN` -> `{ kind: "server" }`.
225
+ * - Single segment (no dots) -> `opaque_access_token_rejected`. This is the
226
+ * structural catch for OAuth access tokens, which cannot be verified offline.
227
+ * - Exactly 3 dot-separated segments -> attempt local JWT verify, then Google
228
+ * ID-token verify. The Google branch only runs if the local JWT branch
229
+ * fails AND the configured Google audience list is non-empty.
230
+ * - Any other segment count -> `malformed`.
231
+ *
232
+ * @param token Raw bearer token (the value after `Bearer ` in the header).
233
+ * @returns A verified `BackendPrincipal` on success.
234
+ * @throws `AuthError` on any failure.
235
+ */
236
+ export async function verifyBackendToken(token) {
237
+ // ---- structural rejection of empty input ---------------------------------
238
+ if (typeof token !== 'string' || token.trim().length === 0) {
239
+ throw new AuthError('invalid_token', 'malformed');
240
+ }
241
+ // ---- path 1: server-to-server static token -------------------------------
242
+ // Read once per call so a runtime env change is honoured. The exact-match
243
+ // check guards against the historical bug of allowing the empty string to
244
+ // authenticate when SERVER_AUTH_TOKEN is unset.
245
+ const serverAuthToken = process.env.SERVER_AUTH_TOKEN;
246
+ if (typeof serverAuthToken === 'string' &&
247
+ serverAuthToken.length > 0 &&
248
+ token === serverAuthToken) {
249
+ return { kind: 'server' };
250
+ }
251
+ // ---- structural classification --------------------------------------------
252
+ const segments = token.split('.');
253
+ // Single segment (no dots) -> opaque OAuth access token (or similar).
254
+ // These tokens (ya29.…, but technically any non-dotted bearer) cannot be
255
+ // verified offline. Reject explicitly so the caller surfaces a clear reason.
256
+ if (segments.length === 1) {
257
+ logger.warn('[auth] opaque access token rejected', {
258
+ tokenPrefix: redactToken(token),
259
+ });
260
+ throw new AuthError('invalid_token', 'opaque_access_token_rejected');
261
+ }
262
+ // Anything other than 3 segments is not a valid JWT or Google ID token.
263
+ // This catches the historical `ya29.<single-payload>` form (2 segments) and
264
+ // any other malformed shape.
265
+ if (segments.length !== 3) {
266
+ logger.warn('[auth] malformed token rejected', {
267
+ tokenPrefix: redactToken(token),
268
+ segmentCount: segments.length,
269
+ });
270
+ throw new AuthError('invalid_token', 'malformed');
271
+ }
272
+ // ---- path 2: app-issued JWT ----------------------------------------------
273
+ // Try local JWT verification first. On success, return a user principal.
274
+ // On failure, capture the reason but DO NOT throw yet — we may still be
275
+ // looking at a Google ID token, which is structurally a JWT signed by Google.
276
+ let localJwtFailure;
277
+ try {
278
+ // Pin algorithm to HS256. Without this, `jsonwebtoken.verify` accepts
279
+ // `alg: "none"` (silently!) for older versions of the library — a
280
+ // well-known footgun where an attacker forges an unsigned token and
281
+ // the server accepts it as authentic. Pinning also ensures forward
282
+ // compatibility: if we ever sign with a different alg, every verifier
283
+ // is forced to update in lockstep with the signer.
284
+ const payload = jwt.verify(token, jwtSecret, { algorithms: ['HS256'] });
285
+ if (typeof payload === 'string') {
286
+ // String-payload JWTs are not used by this platform and carry no claims
287
+ // we can convert into a principal. Treat as malformed.
288
+ throw new AuthError('invalid_token', 'malformed');
289
+ }
290
+ const sub = typeof payload.sub === 'string' ? payload.sub : undefined;
291
+ if (!sub) {
292
+ // No sub claim -> no principal. Treat as malformed identity.
293
+ throw new AuthError('invalid_token', 'malformed');
294
+ }
295
+ const roles = parseRolesFromJWT(payload);
296
+ const isAdmin = roles.includes('admin');
297
+ const emailClaim = payload.email;
298
+ const email = typeof emailClaim === 'string' && emailClaim.length > 0
299
+ ? emailClaim
300
+ : undefined;
301
+ return isAdmin
302
+ ? { kind: 'admin', sub, email, roles }
303
+ : { kind: 'user', sub, email, roles };
304
+ }
305
+ catch (e) {
306
+ // AuthError thrown from inside the try-block (e.g. no-sub case) must
307
+ // propagate without being reclassified.
308
+ if (e instanceof AuthError) {
309
+ throw e;
310
+ }
311
+ localJwtFailure = classifyJwtError(e);
312
+ // Expired tokens are unambiguous: we know they were signed by us. Surface
313
+ // the expiry reason immediately rather than falling through to Google.
314
+ if (localJwtFailure === 'expired') {
315
+ throw new AuthError('invalid_token', 'expired');
316
+ }
317
+ // Otherwise, fall through to Google ID-token verification below.
318
+ }
319
+ // ---- path 3: Google ID token ---------------------------------------------
320
+ // Only attempt Google verification when an audience list is configured.
321
+ // The list is empty in dev/test by default, which causes this branch to
322
+ // throw the most-precise reason from the local JWT path above.
323
+ const audience = googleAudienceList();
324
+ if (audience.length === 0) {
325
+ // No Google verification possible. Bubble up the local JWT reason.
326
+ throw new AuthError('invalid_token', localJwtFailure ?? 'bad_signature');
327
+ }
328
+ // A 3-segment token reaching this point is presumed to be either a Google
329
+ // ID token or a forgery. Local JWT verify against our secret has already
330
+ // failed (otherwise we returned above). We surface Google's diagnosis as
331
+ // the authoritative one — `localJwtFailure` is captured only for the case
332
+ // where the audience list is empty (handled above) so we can bubble the
333
+ // best-available signal to the caller.
334
+ let ticketResult;
335
+ try {
336
+ ticketResult = await getOAuthClient().verifyIdToken({
337
+ idToken: token,
338
+ audience,
339
+ });
340
+ }
341
+ catch (e) {
342
+ // google-auth-library throws plain Errors with messages like
343
+ // "Wrong recipient, payload audience != requiredAudience" for bad audience,
344
+ // "Token used too late" for expiry, and "Invalid token signature" for
345
+ // tampering. Classify into the closest discriminated reason.
346
+ const msg = e instanceof Error ? e.message.toLowerCase() : '';
347
+ logger.warn('[auth] Google ID token verification failed', {
348
+ tokenPrefix: redactToken(token),
349
+ errorMessage: e instanceof Error ? e.message : 'unknown',
350
+ localJwtReason: localJwtFailure ?? 'n/a',
351
+ });
352
+ if (msg.includes('used too late') || msg.includes('expired')) {
353
+ throw new AuthError('invalid_token', 'expired');
354
+ }
355
+ if (msg.includes('signature') || msg.includes('invalid token')) {
356
+ throw new AuthError('invalid_token', 'bad_signature');
357
+ }
358
+ // Default classification for Google verification failures is
359
+ // `bad_audience` — BUT: when local-JWT path 2 already failed (the
360
+ // common case, since the app mints HS256 tokens that Google cannot
361
+ // recognise), the user is almost certainly NOT presenting a Google
362
+ // ID token at all. Surfacing `bad_audience` in that case hides the
363
+ // real upstream failure (typically `bad_signature` from path 2)
364
+ // behind an irrelevant fallback diagnosis. Prefer the local-JWT
365
+ // reason when present; only fall back to `bad_audience` when there
366
+ // is no local-JWT failure to bubble (i.e. a token that decoded as
367
+ // a JWT but somehow didn't reach the local-JWT branch — defensive).
368
+ throw new AuthError('invalid_token', localJwtFailure ?? 'bad_audience');
369
+ }
370
+ // ticketResult must be defined here because the catch above always throws.
371
+ const payload = ticketResult?.getPayload?.();
372
+ if (!payload) {
373
+ // Google verified the token but returned no payload — treat as a
374
+ // signature failure since we cannot extract a principal.
375
+ logger.warn('[auth] Google verifyIdToken returned no payload', {
376
+ tokenPrefix: redactToken(token),
377
+ });
378
+ throw new AuthError('invalid_token', 'bad_signature');
379
+ }
380
+ const sub = payload.sub;
381
+ if (typeof sub !== 'string' || sub.length === 0) {
382
+ // No `sub` claim from Google -> no principal we can use.
383
+ logger.warn('[auth] Google payload missing sub claim', {
384
+ tokenPrefix: redactToken(token),
385
+ });
386
+ throw new AuthError('invalid_token', 'bad_signature');
387
+ }
388
+ return {
389
+ kind: 'user',
390
+ sub,
391
+ email: typeof payload.email === 'string' ? payload.email : undefined,
392
+ roles: ['user'],
393
+ };
394
+ }
395
+ //# sourceMappingURL=token-verifier.js.map
package/esm/client.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,YAAY,IAAI,gBAAgB,EAChC,aAAa,IAAI,iBAAiB,EAClC,qBAAqB,EAEtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAEpE,YAAY,EACV,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,GACtB,CAAC;AAGF,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,cAAc,gBAAgB,EAAE,YAAY,CAAC;IAC3D,aAAa,EAAE,cAAc,6CAA6C,EAAE,aAAa,CAAC;IAC1F,QAAQ,EAAE,cAAc,0BAA0B,EAAE,QAAQ,CAAC;IAC7D,GAAG,EAAE,cAAc,gBAAgB,EAAE,GAAG,CAAC;IACzC,WAAW,EAAE,cAAc,gBAAgB,EAAE,WAAW,CAAC;IACzD,KAAK,EAAE,cAAc,gBAAgB,EAAE,KAAK,CAAC;IAC7C,UAAU,EAAE,cAAc,6BAA6B,EAAE,UAAU,CAAC;IACpE,OAAO,EAAE,cAAc,2BAA2B,EAAE,OAAO,CAAC;IAC5D;;;;;;OAMG;IACH,4BAA4B,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE;QACrC,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;KAChC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAGD,UAAU,oBAAoB;IAC5B,uBAAuB,EAAE,MAAM,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;;;;;OASG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;;;;;;;;;;;;;;;OAiBG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAoBD;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;AAgJ3D;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,OAAO,CAAC,oBAAoB,CAAC,GACpC,IAAI,CAKN;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAS9D;AAiYD;;;;GAIG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAC9C,gBAAgB,CAAC,qBAAqB,CAAC,CACxC,CAmPA;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAK/D;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,MAAM,EAAE,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,CAevE,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,qEAAqE;IACrE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,uBAAuB,EAAE,MAAM,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IACtB,8EAA8E;IAC9E,gBAAgB,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,wBAAwB,EAAE,MAAM,CAAC;IACjC,sEAAsE;IACtE,oBAAoB,EAAE,MAAM,CAAC;IAC7B,2DAA2D;IAC3D,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;;;;;OAOG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iEAAiE;IACjE,qBAAqB,EAAE,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAgB,YAAY,IAAI,SAAS,CAgBxC;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,IAAI,IAAI,CAMjC"}
1
+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,YAAY,IAAI,gBAAgB,EAChC,aAAa,IAAI,iBAAiB,EAClC,qBAAqB,EAEtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAEpE,YAAY,EACV,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,GACtB,CAAC;AAGF,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,cAAc,gBAAgB,EAAE,YAAY,CAAC;IAC3D,aAAa,EAAE,cAAc,6CAA6C,EAAE,aAAa,CAAC;IAC1F,QAAQ,EAAE,cAAc,0BAA0B,EAAE,QAAQ,CAAC;IAC7D,GAAG,EAAE,cAAc,gBAAgB,EAAE,GAAG,CAAC;IACzC,WAAW,EAAE,cAAc,gBAAgB,EAAE,WAAW,CAAC;IACzD,KAAK,EAAE,cAAc,gBAAgB,EAAE,KAAK,CAAC;IAC7C,UAAU,EAAE,cAAc,6BAA6B,EAAE,UAAU,CAAC;IACpE,OAAO,EAAE,cAAc,2BAA2B,EAAE,OAAO,CAAC;IAC5D;;;;;;OAMG;IACH,4BAA4B,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE;QACrC,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;KAChC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAGD,UAAU,oBAAoB;IAC5B,uBAAuB,EAAE,MAAM,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;;;;;OASG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;;;;;;;;;;;;;;;OAiBG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAoBD;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;AAgJ3D;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,OAAO,CAAC,oBAAoB,CAAC,GACpC,IAAI,CAKN;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAS9D;AAyYD;;;;GAIG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAC9C,gBAAgB,CAAC,qBAAqB,CAAC,CACxC,CAmPA;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAK/D;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,MAAM,EAAE,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,CAevE,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,qEAAqE;IACrE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,uBAAuB,EAAE,MAAM,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IACtB,8EAA8E;IAC9E,gBAAgB,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,wBAAwB,EAAE,MAAM,CAAC;IACjC,sEAAsE;IACtE,oBAAoB,EAAE,MAAM,CAAC;IAC7B,2DAA2D;IAC3D,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;;;;;OAOG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iEAAiE;IACjE,qBAAqB,EAAE,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAgB,YAAY,IAAI,SAAS,CAgBxC;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,IAAI,IAAI,CAMjC"}
package/esm/client.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA,YAAY;AAEZ,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AA8FxC,MAAM,mBAAmB,GAAyB;IAChD,qEAAqE;IACrE,mEAAmE;IACnE,iEAAiE;IACjE,sEAAsE;IACtE,sEAAsE;IACtE,uDAAuD;IACvD,uBAAuB,EAAE,EAAE;IAC3B,aAAa,EAAE,CAAC,EAAE,iDAAiD;IACnE,UAAU,EAAE,IAAI,EAAE,kEAAkE;IACpF,iBAAiB,EAAE,KAAK,EAAE,2BAA2B;IACrD,+DAA+D;IAC/D,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE,KAAK,EAAE,wEAAwE;IACnG,uBAAuB,EAAE,IAAI,EAAE,+CAA+C;CAC/E,CAAC;AASF,yBAAyB;AACzB,IAAI,aAAwC,CAAC;AAC7C,IAAI,YAAiE,CAAC;AACtE,IAAI,iBAAiB,GAAG,CAAC,CAAC;AAC1B,MAAM,cAAc,GAIf,EAAE,CAAC;AACR,IAAI,UAAU,GAAyB,mBAAmB,CAAC;AAC3D,IAAI,mBAA8C,CAAC;AAEnD,sCAAsC;AACtC,qEAAqE;AACrE,kEAAkE;AAClE,uEAAuE;AACvE,2BAA2B;AAC3B,MAAM,YAAY,GAAG;IACnB,aAAa,EAAE,CAAC;IAChB,gBAAgB,EAAE,CAAC;IACnB,wBAAwB,EAAE,CAAC;IAC3B,oBAAoB,EAAE,CAAC;IACvB,kBAAkB,EAAE,CAAC;IACrB,kBAAkB,EAAE,CAAC;CACtB,CAAC;AA+BF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAyB,CAAC;AAEzD;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxE,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAC1D,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,CACL,GAAG;QACH,IAAI;aACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aAC7D,IAAI,CAAC,GAAG,CAAC;QACZ,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CACzB,aAAqB,EACrB,OAAgB;IAEhB,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,uBAAuB,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;QAC9D,IAAI,CAAC,aAAa,IAAI,aAAa,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QACjE,8DAA8D;QAC9D,MAAM,IAAI,GAAG,OAMZ,CAAC;QACF,qEAAqE;QACrE,gEAAgE;QAChE,IAAI,IAAI,EAAE,QAAQ;YAAE,OAAO,IAAI,CAAC;QAChC,sCAAsC;QACtC,IAAI,CAAC,IAAI,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC;QAC9B,iEAAiE;QACjE,yDAAyD;QACzD,IAAI,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACtE,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC;QACrD,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,IAAI,SAAS,CAAC;QACzC,OAAO,GAAG,aAAa,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAaD;;GAEG;AACH,KAAK,UAAU,iBAAiB;IAC9B,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACnE,mEAAmE;QACnE,OAAO,CAAC,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAkB,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,kDAAkD;QAClD,OAAO,CAAC,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAkB,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAqC;IAErC,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,GAAG,MAAM,EAAE,CAAC;IAC1C,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;QACtD,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;KACvC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAuB;IACtD,mBAAmB,GAAG,QAAQ,CAAC;IAC/B,yDAAyD;IACzD,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CACT,yEAAyE,CAC1E,CAAC;QACF,YAAY,GAAG,SAAS,CAAC;IAC3B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,oFAAoF;IACpF,MAAM,cAAc,GAAG,kBAAkB,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,YAAY;IACzB,IAAI,KAAK,GAAG,EAAE,CAAC;IAEf,8CAA8C;IAC9C,IAAI,mBAAmB,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,0DAA0D,EAAE;gBACvE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,KAAK;YACH,OAAO,CAAC,GAAG,CAAC,6BAA6B;gBACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB;gBAC7B,EAAE,CAAC;IACP,CAAC;IAED,4BAA4B;IAC5B,IAAI,KAAK,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,8CAA8C;QAC9C,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,8CAA8C;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,CAAC,IAAI,CACT,kEAAkE;YAChE,6EAA6E;YAC7E,oHAAoH,CACvH,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,YAAY;IACnB,2EAA2E;IAC3E,OACE,iBAAiB,GAAG,UAAU,CAAC,uBAAuB;QACtD,cAAc,CAAC,MAAM,GAAG,CAAC,EACzB,CAAC;QACD,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,iBAAiB,EAAE,CAAC;YACpB,KAAK,KAAK,CAAC,gBAAgB,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBACzC,iBAAiB,EAAE,CAAC;gBACpB,YAAY,EAAE,CAAC,CAAC,iDAAiD;YACnE,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,oBAAoB,CAAC,OAAgB;IAC5C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAGZ,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,QAAQ,CAAC;QAC1C,MAAM,IAAI,GAAG,GAAG,EAAE,WAAW,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,GAGT,CAAC;YACF,IAAI,CAAC,EAAE,IAAI,KAAK,qBAAqB,EAAE,CAAC;gBACtC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI,WAAW,CAAC;YACtC,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO;IACL,wDAAwD;IACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAAC;QACnD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACvC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAC1C,gEAAgE;QAChE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;QACzB,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAAC;QAC5C,sEAAsE;QACtE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;QACzB,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAAC;QAC9C,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAAC;QACnD,6DAA6D;QAC7D,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAC7C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CACpC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,SAA2B,EAC3B,aAAqB,EACrB,OAAO,GAAG,CAAC;IAEX,yEAAyE;IACzE,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,qEAAqE;IACrE,iCAAiC;IACjC,IAAI,OAAO,KAAK,CAAC,IAAI,cAAc,CAAC,MAAM,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;QACvE,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,iCAAiC,cAAc,CAAC,MAAM,IAAI,UAAU,CAAC,aAAa,GAAG,EACvH;YACE,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc,CAAC,MAAM;YACjC,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,iBAAiB;YACjB,uBAAuB,EAAE,UAAU,CAAC,uBAAuB;YAC3D,QAAQ,EAAE,eAAe;SAC1B,CACF,CAAC;QACF,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,KAAK,CACP,qBAAqB,aAAa,gCAAgC,cAAc,CAAC,MAAM,IAAI,UAAU,CAAC,aAAa,2BAA2B,CAC/I,CACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,gBAAgB,GAAG,KAAK,IAAmB,EAAE;YACjD,qEAAqE;YACrE,oEAAoE;YACpE,uEAAuE;YACvE,sEAAsE;YACtE,kEAAkE;YAClE,kCAAkC;YAClC,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;gBACvC,IAAI,MAAM,GAAG,UAAU,CAAC,kBAAkB,EAAE,CAAC;oBAC3C,YAAY,CAAC,wBAAwB,EAAE,CAAC;oBACxC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,mCAAmC,UAAU,CAAC,kBAAkB,cAAc,MAAM,KAAK,EAC3H;wBACE,SAAS,EAAE,aAAa;wBACxB,MAAM;wBACN,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;wBACjD,UAAU,EAAE,cAAc,CAAC,MAAM;wBACjC,iBAAiB;wBACjB,QAAQ,EAAE,oBAAoB;qBAC/B,CACF,CAAC;oBACF,MAAM,CACJ,IAAI,KAAK,CACP,qBAAqB,aAAa,yBAAyB,MAAM,eAAe,UAAU,CAAC,kBAAkB,sCAAsC,CACpJ,CACF,CAAC;oBACF,OAAO;gBACT,CAAC;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;gBACjC,YAAY,CAAC,aAAa,EAAE,CAAC;gBAC7B,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,YAAY,GAChB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAEzD,MAAM,aAAa,GACjB,KAAK,YAAY,KAAK;oBACtB,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;wBAC/C,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBAE/C,wEAAwE;gBACxE,wEAAwE;gBACxE,oEAAoE;gBACpE,qEAAqE;gBACrE,qEAAqE;gBACrE,gEAAgE;gBAChE,oEAAoE;gBACpE,mEAAmE;gBACnE,+DAA+D;gBAC/D,uDAAuD;gBACvD,EAAE;gBACF,oEAAoE;gBACpE,mEAAmE;gBACnE,sEAAsE;gBACtE,oBAAoB;gBACpB,MAAM,oBAAoB,GACxB,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,aAAa,CAAC;gBAEzD,mEAAmE;gBACnE,qEAAqE;gBACrE,oEAAoE;gBACpE,6DAA6D;gBAC7D,MAAM,kBAAkB,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;gBAEpE,MAAM,WAAW,GACf,CAAC,oBAAoB;oBACrB,CAAC,kBAAkB;oBACnB,KAAK,YAAY,KAAK;oBACtB,kEAAkE;oBAClE,kEAAkE;oBAClE,gEAAgE;oBAChE,iEAAiE;oBACjE,mCAAmC;oBACnC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACpC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;wBAC9C,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACpC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;wBACxC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;wBACjC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAC;wBACrD,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAC;wBACjD,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;wBAC/B,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACpC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;wBAChD,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;wBACzC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;wBACzC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;wBACzC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBAE/C,IAAI,oBAAoB,EAAE,CAAC;oBACzB,MAAM,CAAC,IAAI,CACT,oBAAoB,aAAa,yFAAyF,EAC1H;wBACE,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,KAAK,EAAE,YAAY;wBACnB,QAAQ,EAAE,yBAAyB;qBACpC,CACF,CAAC;gBACJ,CAAC;gBAED,IAAI,kBAAkB,EAAE,CAAC;oBACvB,YAAY,CAAC,oBAAoB,EAAE,CAAC;oBACpC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,uGAAuG,EACzI;wBACE,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,KAAK,EAAE,YAAY;wBACnB,QAAQ,EAAE,oBAAoB;qBAC/B,CACF,CAAC;gBACJ,CAAC;gBAED,IAAI,OAAO,GAAG,UAAU,CAAC,aAAa,IAAI,WAAW,EAAE,CAAC;oBACtD,oEAAoE;oBACpE,kEAAkE;oBAClE,gEAAgE;oBAChE,gEAAgE;oBAChE,0DAA0D;oBAC1D,sDAAsD;oBACtD,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;oBAC1D,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC;oBACvB,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC;oBACpC,MAAM,KAAK,GACT,KAAK,IAAI,KAAK;wBACZ,CAAC,CAAC,KAAK;wBACP,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC1D,YAAY,CAAC,kBAAkB,EAAE,CAAC;oBAClC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,yBAAyB,KAAK,eAAe,OAAO,GAAG,CAAC,IAAI,UAAU,CAAC,aAAa,GAAG,EACzH;wBACE,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,UAAU,CAAC,aAAa;wBACrC,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,YAAY;wBACnB,QAAQ,EAAE,OAAO;qBAClB,CACF,CAAC;oBACF,UAAU,CAAC,GAAG,EAAE;wBACd,gBAAgB,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,GAAG,CAAC,CAAC;6BACpD,IAAI,CAAC,OAAO,CAAC;6BACb,KAAK,CAAC,MAAM,CAAC,CAAC;oBACnB,CAAC,EAAE,KAAK,CAAC,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,IAAI,WAAW,EAAE,CAAC;wBAChB,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,wBAAwB,UAAU,CAAC,aAAa,IAAI,UAAU,CAAC,aAAa,GAAG,EACjH;4BACE,SAAS,EAAE,aAAa;4BACxB,QAAQ,EAAE,UAAU,CAAC,aAAa;4BAClC,KAAK,EAAE,YAAY;4BACnB,QAAQ,EAAE,iBAAiB;yBAC5B,CACF,CAAC;oBACJ,CAAC;oBACD,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,cAAc,CAAC,IAAI,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,CAAC;QACrE,YAAY,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IAGnC,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,CAAC;QACH,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,aAAa,GAAG,MAAM,iBAAiB,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,GAClE,aAAa,CAAC;QAEhB,oEAAoE;QACpE,mEAAmE;QACnE,uEAAuE;QACvE,uEAAuE;QACvE,mEAAmE;QACnE,mEAAmE;QACnE,EAAE;QACF,mEAAmE;QACnE,sEAAsE;QACtE,kEAAkE;QAClE,cAAc;QACd,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,aAEpB,CAAC;YACF,IAAI,OAAO,YAAY,CAAC,4BAA4B,KAAK,UAAU,EAAE,CAAC;gBACpE,MAAM,YAAY,CAAC,4BAA4B,EAAE,CAAC;YACpD,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAC3D,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,6BAA6B;YACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB;YAC7B,CAAC,YAAY;gBACX,CAAC,CAAC,gCAAgC;gBAClC,CAAC,CAAC,+BAA+B,CAAC,CAAC;QAEvC,iEAAiE;QACjE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,2CAA2C;QAC3C,EAAE;QACF,0DAA0D;QAC1D,oEAAoE;QACpE,0EAA0E;QAC1E,6DAA6D;QAC7D,MAAM,SAAS,GAAG,UAAU,CAAC,iBAAiB,CAAC;QAC/C,MAAM,gBAAgB,GAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YACrD,MAAM,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACrD,MAAM,cAAc,GAAG,IAAI,EAAE,MAAM,CAAC;YACpC,MAAM,MAAM,GAAG,cAAc;gBAC3B,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;gBAClD,CAAC,CAAC,aAAa,CAAC;YAClB,OAAO,KAAK,CAAC,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3C,CAAC,CAAC;QAEF,MAAM,gBAAgB,GAAG,IAAI,QAAQ,CAAC;YACpC,GAAG,EAAE,OAAO;YACZ,KAAK,EAAE,gBAAgB;SACxB,CAAC,CAAC;QAEH,kEAAkE;QAClE,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE;YACzD,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,IAAI,EAAE,CAAC;YAC1C,kCAAkC;YAClC,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;YACnC,OAAO;gBACL,OAAO,EAAE;oBACP,GAAG,OAAO;oBACV,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE;oBAC7C,UAAU,EAAE,YAAY;iBACzB;aACF,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,mDAAmD;QACnD,EAAE;QACF,sEAAsE;QACtE,sEAAsE;QACtE,kEAAkE;QAClE,mEAAmE;QACnE,gEAAgE;QAChE,kEAAkE;QAClE,4CAA4C;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,EAAE,EAAE;YAC5D,IAAI,aAAa,EAAE,CAAC;gBAClB,aAAa,CAAC,OAAO,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE;oBACrD,gEAAgE;oBAChE,iDAAiD;oBACjD,yDAAyD;oBACzD,oDAAoD;oBACpD,+BAA+B;oBAC/B,MAAM,oBAAoB,GACxB,OAAO,CAAC,QAAQ,CAAC,kCAAkC,CAAC;wBACpD,OAAO,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC;oBACxD,MAAM,kBAAkB,GACtB,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC;wBACvC,OAAO,CAAC,QAAQ,CAAC,+CAA+C,CAAC,CAAC;oBAEpE,IAAI,oBAAoB,EAAE,CAAC;wBACzB,MAAM,CAAC,IAAI,CACT,qCAAqC,OAAO,eAAe,SAAS,WAAW,IAAI,EAAE,CACtF,CAAC;oBACJ,CAAC;yBAAM,IAAI,kBAAkB,EAAE,CAAC;wBAC9B,MAAM,CAAC,IAAI,CACT,0CAA0C,OAAO,eAAe,SAAS,WAAW,IAAI,EAAE,CAC3F,CAAC;oBACJ,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,KAAK,CACV,6BAA6B,OAAO,eAAe,SAAS,WAAW,IAAI,EAAE,CAC9E,CAAC;oBACJ,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;YACD,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;gBACxC,4DAA4D;gBAC5D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,2DAA2D;gBAC3D,8DAA8D;gBAC9D,wBAAwB;gBACxB,MAAM,WAAW,GACf,UAAU,CAAC,QAAQ,CAAC,yBAAyB,CAAC;oBAC9C,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC;oBACnC,UAAU,CAAC,QAAQ,CAAC,wBAAwB,CAAC;oBAC7C,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC;oBACjC,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAChC,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC;oBACnC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBACrC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBACtC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBACtC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBACtC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;gBAEzC,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,CAAC,IAAI,CACT,oBAAoB,UAAU,+CAA+C,CAC9E,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,KAAK,CAAC,oBAAoB,UAAU,EAAE,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,MAAM,cAAc,GAAmB;YACrC,UAAU,EAAE;gBACV,WAAW,EAAE,mBAAmB;gBAChC,WAAW,EAAE,KAAK;aACnB;YACD,KAAK,EAAE;gBACL,WAAW,EAAE,cAAc;gBAC3B,WAAW,EAAE,KAAK;aACnB;YACD,MAAM,EAAE;gBACN,WAAW,EAAE,KAAK;aACnB;SACF,CAAC;QAEF,wDAAwD;QACxD,6EAA6E;QAC7E,YAAY,GAAG,IAAI,YAAY,CAAC;YAC9B,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACzD,KAAK,EAAE,IAAI,aAAa,CAAC;gBACvB,oDAAoD;gBACpD,mEAAmE;gBACnE,YAAY,EAAE,EAAE;aACjB,CAAC;YACF,cAAc;YACd,QAAQ,EAAE;gBACR,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;aAC/C;SACF,CAAC,CAAC;QAEH,wEAAwE;QACxE,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE9D,YAAY,CAAC,KAAK,GAAG,CAAC,CAAC,OAA4C,EAAE,EAAE;YACrE,MAAM,aAAa,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACpD,MAAM,WAAW,GAAG,kBAAkB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAE/D,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAClD,IAAI,QAAQ,EAAE,CAAC;oBACb,YAAY,CAAC,kBAAkB,EAAE,CAAC;oBAClC,QAAQ,CAAC,IAAI,EAAE,CAAC;oBAChB,gEAAgE;oBAChE,kEAAkE;oBAClE,+DAA+D;oBAC/D,8DAA8D;oBAC9D,+DAA+D;oBAC/D,uDAAuD;oBACvD,OAAO,QAAQ,CAAC,OAEf,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,gBAAgB,CAC9B,GAAG,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,EAC5B,aAAa,CACd,CAAC;gBACF,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE;oBAC/B,OAAO;oBACP,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE;oBAC3B,IAAI,EAAE,CAAC;iBACR,CAAC,CAAC;gBACH,+DAA+D;gBAC/D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,yCAAyC;gBACzC,MAAM,OAAO,GAAG,GAAS,EAAE;oBACzB,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBACtC,CAAC,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC/B,OAAO,OAAsD,CAAC;YAChE,CAAC;YAED,OAAO,gBAAgB,CACrB,GAAG,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,EAC5B,aAAa,CACiC,CAAC;QACnD,CAAC,CAA8B,CAAC;QAEhC,YAAY,CAAC,MAAM,GAAG,CAAC,OAAO,EAAE,EAAE;YAChC,OAAO,gBAAgB,CACrB,GAAG,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,EAC7B,oBAAoB,CAAC,OAAO,CAAC,CAC9B,CAAC;QACJ,CAAC,CAAC;QAEF,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC3E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC5C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,MAAM,GAAyD;IAC1E,IAAI,CACF,WAKa,EACb,UAGa;QAEb,OAAO,eAAe,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACzD,CAAC;CACF,CAAC;AAyCF;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO;QACL,iBAAiB;QACjB,UAAU,EAAE,cAAc,CAAC,MAAM;QACjC,uBAAuB,EAAE,UAAU,CAAC,uBAAuB;QAC3D,aAAa,EAAE,UAAU,CAAC,aAAa;QACvC,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;QACjD,mBAAmB,EAAE,UAAU,CAAC,iBAAiB;QACjD,aAAa,EAAE,YAAY,CAAC,aAAa;QACzC,gBAAgB,EAAE,YAAY,CAAC,gBAAgB;QAC/C,wBAAwB,EAAE,YAAY,CAAC,wBAAwB;QAC/D,oBAAoB,EAAE,YAAY,CAAC,oBAAoB;QACvD,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;QACnD,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;QACnD,qBAAqB,EAAE,eAAe,CAAC,IAAI;KAC5C,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU;IACxB,IAAI,YAAY,EAAE,CAAC;QACjB,YAAY,CAAC,IAAI,EAAE,CAAC;QACpB,YAAY,GAAG,SAAS,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA,YAAY;AAEZ,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AA8FxC,MAAM,mBAAmB,GAAyB;IAChD,qEAAqE;IACrE,mEAAmE;IACnE,iEAAiE;IACjE,sEAAsE;IACtE,sEAAsE;IACtE,uDAAuD;IACvD,uBAAuB,EAAE,EAAE;IAC3B,aAAa,EAAE,CAAC,EAAE,iDAAiD;IACnE,UAAU,EAAE,IAAI,EAAE,kEAAkE;IACpF,iBAAiB,EAAE,KAAK,EAAE,2BAA2B;IACrD,+DAA+D;IAC/D,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE,KAAK,EAAE,wEAAwE;IACnG,uBAAuB,EAAE,IAAI,EAAE,+CAA+C;CAC/E,CAAC;AASF,yBAAyB;AACzB,IAAI,aAAwC,CAAC;AAC7C,IAAI,YAAiE,CAAC;AACtE,IAAI,iBAAiB,GAAG,CAAC,CAAC;AAC1B,MAAM,cAAc,GAIf,EAAE,CAAC;AACR,IAAI,UAAU,GAAyB,mBAAmB,CAAC;AAC3D,IAAI,mBAA8C,CAAC;AAEnD,sCAAsC;AACtC,qEAAqE;AACrE,kEAAkE;AAClE,uEAAuE;AACvE,2BAA2B;AAC3B,MAAM,YAAY,GAAG;IACnB,aAAa,EAAE,CAAC;IAChB,gBAAgB,EAAE,CAAC;IACnB,wBAAwB,EAAE,CAAC;IAC3B,oBAAoB,EAAE,CAAC;IACvB,kBAAkB,EAAE,CAAC;IACrB,kBAAkB,EAAE,CAAC;CACtB,CAAC;AA+BF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAyB,CAAC;AAEzD;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxE,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAC1D,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,CACL,GAAG;QACH,IAAI;aACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aAC7D,IAAI,CAAC,GAAG,CAAC;QACZ,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CACzB,aAAqB,EACrB,OAAgB;IAEhB,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,uBAAuB,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;QAC9D,IAAI,CAAC,aAAa,IAAI,aAAa,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QACjE,8DAA8D;QAC9D,MAAM,IAAI,GAAG,OAMZ,CAAC;QACF,qEAAqE;QACrE,gEAAgE;QAChE,IAAI,IAAI,EAAE,QAAQ;YAAE,OAAO,IAAI,CAAC;QAChC,sCAAsC;QACtC,IAAI,CAAC,IAAI,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC;QAC9B,iEAAiE;QACjE,yDAAyD;QACzD,IAAI,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACtE,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC;QACrD,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,IAAI,SAAS,CAAC;QACzC,OAAO,GAAG,aAAa,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAaD;;GAEG;AACH,KAAK,UAAU,iBAAiB;IAC9B,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACnE,mEAAmE;QACnE,OAAO,CAAC,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAkB,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,kDAAkD;QAClD,OAAO,CAAC,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAkB,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAqC;IAErC,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,GAAG,MAAM,EAAE,CAAC;IAC1C,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;QACtD,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;KACvC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAuB;IACtD,mBAAmB,GAAG,QAAQ,CAAC;IAC/B,yDAAyD;IACzD,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CACT,yEAAyE,CAC1E,CAAC;QACF,YAAY,GAAG,SAAS,CAAC;IAC3B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,oFAAoF;IACpF,MAAM,cAAc,GAAG,kBAAkB,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,YAAY;IACzB,IAAI,KAAK,GAAG,EAAE,CAAC;IAEf,8CAA8C;IAC9C,IAAI,mBAAmB,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,0DAA0D,EAAE;gBACvE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,KAAK;YACH,OAAO,CAAC,GAAG,CAAC,6BAA6B;gBACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB;gBAC7B,EAAE,CAAC;IACP,CAAC;IAED,4BAA4B;IAC5B,IAAI,KAAK,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,mEAAmE;QACnE,qEAAqE;QACrE,uEAAuE;QACvE,gEAAgE;QAChE,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CACT,wEAAwE;gBACtE,kEAAkE;gBAClE,yEAAyE;gBACzE,UAAU,CACb,CAAC;YACF,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,CAAC,IAAI,CACT,kEAAkE;YAChE,6EAA6E;YAC7E,oHAAoH,CACvH,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,YAAY;IACnB,2EAA2E;IAC3E,OACE,iBAAiB,GAAG,UAAU,CAAC,uBAAuB;QACtD,cAAc,CAAC,MAAM,GAAG,CAAC,EACzB,CAAC;QACD,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,EAAE,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,iBAAiB,EAAE,CAAC;YACpB,KAAK,KAAK,CAAC,gBAAgB,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBACzC,iBAAiB,EAAE,CAAC;gBACpB,YAAY,EAAE,CAAC,CAAC,iDAAiD;YACnE,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,oBAAoB,CAAC,OAAgB;IAC5C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAGZ,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,QAAQ,CAAC;QAC1C,MAAM,IAAI,GAAG,GAAG,EAAE,WAAW,CAAC;QAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,GAGT,CAAC;YACF,IAAI,CAAC,EAAE,IAAI,KAAK,qBAAqB,EAAE,CAAC;gBACtC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI,WAAW,CAAC;YACtC,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO;IACL,wDAAwD;IACxD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAAC;QACnD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QACvC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAC1C,gEAAgE;QAChE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;QACzB,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAAC;QAC5C,sEAAsE;QACtE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;QACzB,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAAC;QAC9C,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAAC;QACnD,6DAA6D;QAC7D,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAC7C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CACpC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,SAA2B,EAC3B,aAAqB,EACrB,OAAO,GAAG,CAAC;IAEX,yEAAyE;IACzE,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,qEAAqE;IACrE,iCAAiC;IACjC,IAAI,OAAO,KAAK,CAAC,IAAI,cAAc,CAAC,MAAM,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;QACvE,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,iCAAiC,cAAc,CAAC,MAAM,IAAI,UAAU,CAAC,aAAa,GAAG,EACvH;YACE,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc,CAAC,MAAM;YACjC,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,iBAAiB;YACjB,uBAAuB,EAAE,UAAU,CAAC,uBAAuB;YAC3D,QAAQ,EAAE,eAAe;SAC1B,CACF,CAAC;QACF,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,KAAK,CACP,qBAAqB,aAAa,gCAAgC,cAAc,CAAC,MAAM,IAAI,UAAU,CAAC,aAAa,2BAA2B,CAC/I,CACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,gBAAgB,GAAG,KAAK,IAAmB,EAAE;YACjD,qEAAqE;YACrE,oEAAoE;YACpE,uEAAuE;YACvE,sEAAsE;YACtE,kEAAkE;YAClE,kCAAkC;YAClC,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;gBACvC,IAAI,MAAM,GAAG,UAAU,CAAC,kBAAkB,EAAE,CAAC;oBAC3C,YAAY,CAAC,wBAAwB,EAAE,CAAC;oBACxC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,mCAAmC,UAAU,CAAC,kBAAkB,cAAc,MAAM,KAAK,EAC3H;wBACE,SAAS,EAAE,aAAa;wBACxB,MAAM;wBACN,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;wBACjD,UAAU,EAAE,cAAc,CAAC,MAAM;wBACjC,iBAAiB;wBACjB,QAAQ,EAAE,oBAAoB;qBAC/B,CACF,CAAC;oBACF,MAAM,CACJ,IAAI,KAAK,CACP,qBAAqB,aAAa,yBAAyB,MAAM,eAAe,UAAU,CAAC,kBAAkB,sCAAsC,CACpJ,CACF,CAAC;oBACF,OAAO;gBACT,CAAC;YACH,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;gBACjC,YAAY,CAAC,aAAa,EAAE,CAAC;gBAC7B,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,YAAY,GAChB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAEzD,MAAM,aAAa,GACjB,KAAK,YAAY,KAAK;oBACtB,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;wBAC/C,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBAE/C,wEAAwE;gBACxE,wEAAwE;gBACxE,oEAAoE;gBACpE,qEAAqE;gBACrE,qEAAqE;gBACrE,gEAAgE;gBAChE,oEAAoE;gBACpE,mEAAmE;gBACnE,+DAA+D;gBAC/D,uDAAuD;gBACvD,EAAE;gBACF,oEAAoE;gBACpE,mEAAmE;gBACnE,sEAAsE;gBACtE,oBAAoB;gBACpB,MAAM,oBAAoB,GACxB,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,aAAa,CAAC;gBAEzD,mEAAmE;gBACnE,qEAAqE;gBACrE,oEAAoE;gBACpE,6DAA6D;gBAC7D,MAAM,kBAAkB,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;gBAEpE,MAAM,WAAW,GACf,CAAC,oBAAoB;oBACrB,CAAC,kBAAkB;oBACnB,KAAK,YAAY,KAAK;oBACtB,kEAAkE;oBAClE,kEAAkE;oBAClE,gEAAgE;oBAChE,iEAAiE;oBACjE,mCAAmC;oBACnC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACpC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;wBAC9C,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACpC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBACnC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;wBACxC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;wBACjC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAC;wBACrD,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAC;wBACjD,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;wBAC/B,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBACpC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;wBAChD,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;wBACtC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;wBACzC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;wBACzC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;wBACzC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBAE/C,IAAI,oBAAoB,EAAE,CAAC;oBACzB,MAAM,CAAC,IAAI,CACT,oBAAoB,aAAa,yFAAyF,EAC1H;wBACE,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,KAAK,EAAE,YAAY;wBACnB,QAAQ,EAAE,yBAAyB;qBACpC,CACF,CAAC;gBACJ,CAAC;gBAED,IAAI,kBAAkB,EAAE,CAAC;oBACvB,YAAY,CAAC,oBAAoB,EAAE,CAAC;oBACpC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,uGAAuG,EACzI;wBACE,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,KAAK,EAAE,YAAY;wBACnB,QAAQ,EAAE,oBAAoB;qBAC/B,CACF,CAAC;gBACJ,CAAC;gBAED,IAAI,OAAO,GAAG,UAAU,CAAC,aAAa,IAAI,WAAW,EAAE,CAAC;oBACtD,oEAAoE;oBACpE,kEAAkE;oBAClE,gEAAgE;oBAChE,gEAAgE;oBAChE,0DAA0D;oBAC1D,sDAAsD;oBACtD,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;oBAC1D,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC;oBACvB,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC;oBACpC,MAAM,KAAK,GACT,KAAK,IAAI,KAAK;wBACZ,CAAC,CAAC,KAAK;wBACP,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC1D,YAAY,CAAC,kBAAkB,EAAE,CAAC;oBAClC,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,yBAAyB,KAAK,eAAe,OAAO,GAAG,CAAC,IAAI,UAAU,CAAC,aAAa,GAAG,EACzH;wBACE,SAAS,EAAE,aAAa;wBACxB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,UAAU,CAAC,aAAa;wBACrC,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,YAAY;wBACnB,QAAQ,EAAE,OAAO;qBAClB,CACF,CAAC;oBACF,UAAU,CAAC,GAAG,EAAE;wBACd,gBAAgB,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,GAAG,CAAC,CAAC;6BACpD,IAAI,CAAC,OAAO,CAAC;6BACb,KAAK,CAAC,MAAM,CAAC,CAAC;oBACnB,CAAC,EAAE,KAAK,CAAC,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,IAAI,WAAW,EAAE,CAAC;wBAChB,MAAM,CAAC,IAAI,CACT,qBAAqB,aAAa,wBAAwB,UAAU,CAAC,aAAa,IAAI,UAAU,CAAC,aAAa,GAAG,EACjH;4BACE,SAAS,EAAE,aAAa;4BACxB,QAAQ,EAAE,UAAU,CAAC,aAAa;4BAClC,KAAK,EAAE,YAAY;4BACnB,QAAQ,EAAE,iBAAiB;yBAC5B,CACF,CAAC;oBACJ,CAAC;oBACD,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,cAAc,CAAC,IAAI,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,CAAC;QACrE,YAAY,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IAGnC,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,CAAC;QACH,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,aAAa,GAAG,MAAM,iBAAiB,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,GAClE,aAAa,CAAC;QAEhB,oEAAoE;QACpE,mEAAmE;QACnE,uEAAuE;QACvE,uEAAuE;QACvE,mEAAmE;QACnE,mEAAmE;QACnE,EAAE;QACF,mEAAmE;QACnE,sEAAsE;QACtE,kEAAkE;QAClE,cAAc;QACd,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,aAEpB,CAAC;YACF,IAAI,OAAO,YAAY,CAAC,4BAA4B,KAAK,UAAU,EAAE,CAAC;gBACpE,MAAM,YAAY,CAAC,4BAA4B,EAAE,CAAC;YACpD,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAC3D,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,6BAA6B;YACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB;YAC7B,CAAC,YAAY;gBACX,CAAC,CAAC,gCAAgC;gBAClC,CAAC,CAAC,+BAA+B,CAAC,CAAC;QAEvC,iEAAiE;QACjE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,2CAA2C;QAC3C,EAAE;QACF,0DAA0D;QAC1D,oEAAoE;QACpE,0EAA0E;QAC1E,6DAA6D;QAC7D,MAAM,SAAS,GAAG,UAAU,CAAC,iBAAiB,CAAC;QAC/C,MAAM,gBAAgB,GAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YACrD,MAAM,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACrD,MAAM,cAAc,GAAG,IAAI,EAAE,MAAM,CAAC;YACpC,MAAM,MAAM,GAAG,cAAc;gBAC3B,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;gBAClD,CAAC,CAAC,aAAa,CAAC;YAClB,OAAO,KAAK,CAAC,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3C,CAAC,CAAC;QAEF,MAAM,gBAAgB,GAAG,IAAI,QAAQ,CAAC;YACpC,GAAG,EAAE,OAAO;YACZ,KAAK,EAAE,gBAAgB;SACxB,CAAC,CAAC;QAEH,kEAAkE;QAClE,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE;YACzD,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,IAAI,EAAE,CAAC;YAC1C,kCAAkC;YAClC,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;YACnC,OAAO;gBACL,OAAO,EAAE;oBACP,GAAG,OAAO;oBACV,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE;oBAC7C,UAAU,EAAE,YAAY;iBACzB;aACF,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,mDAAmD;QACnD,EAAE;QACF,sEAAsE;QACtE,sEAAsE;QACtE,kEAAkE;QAClE,mEAAmE;QACnE,gEAAgE;QAChE,kEAAkE;QAClE,4CAA4C;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,EAAE,EAAE;YAC5D,IAAI,aAAa,EAAE,CAAC;gBAClB,aAAa,CAAC,OAAO,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE;oBACrD,gEAAgE;oBAChE,iDAAiD;oBACjD,yDAAyD;oBACzD,oDAAoD;oBACpD,+BAA+B;oBAC/B,MAAM,oBAAoB,GACxB,OAAO,CAAC,QAAQ,CAAC,kCAAkC,CAAC;wBACpD,OAAO,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC;oBACxD,MAAM,kBAAkB,GACtB,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC;wBACvC,OAAO,CAAC,QAAQ,CAAC,+CAA+C,CAAC,CAAC;oBAEpE,IAAI,oBAAoB,EAAE,CAAC;wBACzB,MAAM,CAAC,IAAI,CACT,qCAAqC,OAAO,eAAe,SAAS,WAAW,IAAI,EAAE,CACtF,CAAC;oBACJ,CAAC;yBAAM,IAAI,kBAAkB,EAAE,CAAC;wBAC9B,MAAM,CAAC,IAAI,CACT,0CAA0C,OAAO,eAAe,SAAS,WAAW,IAAI,EAAE,CAC3F,CAAC;oBACJ,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,KAAK,CACV,6BAA6B,OAAO,eAAe,SAAS,WAAW,IAAI,EAAE,CAC9E,CAAC;oBACJ,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;YACD,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;gBACxC,4DAA4D;gBAC5D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,2DAA2D;gBAC3D,8DAA8D;gBAC9D,wBAAwB;gBACxB,MAAM,WAAW,GACf,UAAU,CAAC,QAAQ,CAAC,yBAAyB,CAAC;oBAC9C,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC;oBACnC,UAAU,CAAC,QAAQ,CAAC,wBAAwB,CAAC;oBAC7C,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC;oBACjC,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAChC,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC;oBACnC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBACrC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBACtC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBACtC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBACtC,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;gBAEzC,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,CAAC,IAAI,CACT,oBAAoB,UAAU,+CAA+C,CAC9E,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,KAAK,CAAC,oBAAoB,UAAU,EAAE,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,MAAM,cAAc,GAAmB;YACrC,UAAU,EAAE;gBACV,WAAW,EAAE,mBAAmB;gBAChC,WAAW,EAAE,KAAK;aACnB;YACD,KAAK,EAAE;gBACL,WAAW,EAAE,cAAc;gBAC3B,WAAW,EAAE,KAAK;aACnB;YACD,MAAM,EAAE;gBACN,WAAW,EAAE,KAAK;aACnB;SACF,CAAC;QAEF,wDAAwD;QACxD,6EAA6E;QAC7E,YAAY,GAAG,IAAI,YAAY,CAAC;YAC9B,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACzD,KAAK,EAAE,IAAI,aAAa,CAAC;gBACvB,oDAAoD;gBACpD,mEAAmE;gBACnE,YAAY,EAAE,EAAE;aACjB,CAAC;YACF,cAAc;YACd,QAAQ,EAAE;gBACR,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;aAC/C;SACF,CAAC,CAAC;QAEH,wEAAwE;QACxE,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE9D,YAAY,CAAC,KAAK,GAAG,CAAC,CAAC,OAA4C,EAAE,EAAE;YACrE,MAAM,aAAa,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACpD,MAAM,WAAW,GAAG,kBAAkB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAE/D,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAClD,IAAI,QAAQ,EAAE,CAAC;oBACb,YAAY,CAAC,kBAAkB,EAAE,CAAC;oBAClC,QAAQ,CAAC,IAAI,EAAE,CAAC;oBAChB,gEAAgE;oBAChE,kEAAkE;oBAClE,+DAA+D;oBAC/D,8DAA8D;oBAC9D,+DAA+D;oBAC/D,uDAAuD;oBACvD,OAAO,QAAQ,CAAC,OAEf,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,gBAAgB,CAC9B,GAAG,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,EAC5B,aAAa,CACd,CAAC;gBACF,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE;oBAC/B,OAAO;oBACP,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE;oBAC3B,IAAI,EAAE,CAAC;iBACR,CAAC,CAAC;gBACH,+DAA+D;gBAC/D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,yCAAyC;gBACzC,MAAM,OAAO,GAAG,GAAS,EAAE;oBACzB,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBACtC,CAAC,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC/B,OAAO,OAAsD,CAAC;YAChE,CAAC;YAED,OAAO,gBAAgB,CACrB,GAAG,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,EAC5B,aAAa,CACiC,CAAC;QACnD,CAAC,CAA8B,CAAC;QAEhC,YAAY,CAAC,MAAM,GAAG,CAAC,OAAO,EAAE,EAAE;YAChC,OAAO,gBAAgB,CACrB,GAAG,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,EAC7B,oBAAoB,CAAC,OAAO,CAAC,CAC9B,CAAC;QACJ,CAAC,CAAC;QAEF,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC3E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC5C,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,MAAM,GAAyD;IAC1E,IAAI,CACF,WAKa,EACb,UAGa;QAEb,OAAO,eAAe,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACzD,CAAC;CACF,CAAC;AAyCF;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO;QACL,iBAAiB;QACjB,UAAU,EAAE,cAAc,CAAC,MAAM;QACjC,uBAAuB,EAAE,UAAU,CAAC,uBAAuB;QAC3D,aAAa,EAAE,UAAU,CAAC,aAAa;QACvC,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;QACjD,mBAAmB,EAAE,UAAU,CAAC,iBAAiB;QACjD,aAAa,EAAE,YAAY,CAAC,aAAa;QACzC,gBAAgB,EAAE,YAAY,CAAC,gBAAgB;QAC/C,wBAAwB,EAAE,YAAY,CAAC,wBAAwB;QAC/D,oBAAoB,EAAE,YAAY,CAAC,oBAAoB;QACvD,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;QACnD,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;QACnD,qBAAqB,EAAE,eAAe,CAAC,IAAI;KAC5C,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU;IACxB,IAAI,YAAY,EAAE,CAAC;QACjB,YAAY,CAAC,IAAI,EAAE,CAAC;QACpB,YAAY,GAAG,SAAS,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}
package/esm/client.mjs CHANGED
@@ -178,10 +178,16 @@ async function getAuthToken() {
178
178
  }
179
179
  // Validate the token format
180
180
  if (token && !isValidJwtFormat(token)) {
181
- // Check if it looks like a Google OAuth token
181
+ // Opaque OAuth access tokens (`ya29.…`) are NOT acceptable backend
182
+ // credentials — the backend's `verifyBackendToken` rejects them with
183
+ // `opaque_access_token_rejected`. Refuse to send them so callers see a
184
+ // clear local warning instead of an opaque 401 from the server.
182
185
  if (token.startsWith('ya29.')) {
183
- // Google OAuth tokens are valid, pass through
184
- return token;
186
+ logger.warn('[Apollo Client] Refusing to send a Google OAuth access token (ya29.…) ' +
187
+ 'to the backend. These tokens cannot be verified offline and are ' +
188
+ 'rejected by the backend. Use a backend-issued JWT or SERVER_AUTH_TOKEN ' +
189
+ 'instead.');
190
+ return '';
185
191
  }
186
192
  logger.warn('[Apollo Client] Token does not appear to be a valid JWT format. ' +
187
193
  'Expected format: header.payload.signature (three base64url-encoded parts). ' +
package/esm/middleware/auth.d.ts CHANGED
@@ -1,6 +1,13 @@
1
1
  import { Request, Response, NextFunction } from 'express';
2
2
  import { JwtPayload } from 'jsonwebtoken';
3
- /** Represents the decoded user payload attached to authenticated requests. */
3
+ import { type BackendPrincipal } from '../auth/token-verifier';
4
+ /**
5
+ * Express request shape with the verified principal attached.
6
+ *
7
+ * Legacy code reads `req.user?.role === 'server'`, `req.user.sub`, etc., so we
8
+ * adapt the `BackendPrincipal` discriminated union into the same shape that
9
+ * `audit-logger` and resolver-side guards already expect.
10
+ */
4
11
  interface AuthUser extends JwtPayload {
5
12
  provider?: string;
6
13
  token?: string;
@@ -9,7 +16,26 @@ interface AuthUser extends JwtPayload {
9
16
  }
10
17
  export interface AuthenticatedRequest extends Request {
11
18
  user?: AuthUser | string;
19
+ /**
20
+ * The verified `BackendPrincipal` from `verifyBackendToken`. New consumers
21
+ * should prefer this discriminated union over the legacy `user` shape.
22
+ */
23
+ principal?: BackendPrincipal;
12
24
  }
13
- export declare const authMiddleware: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
25
+ /**
26
+ * Express middleware that establishes the verified principal from the
27
+ * `Authorization: Bearer …` header. Replaces the historical implementation
28
+ * that prefix-matched `ya29.` and accepted any string as a Google OAuth
29
+ * principal without verification.
30
+ *
31
+ * Failure modes:
32
+ * - Missing `Authorization` header -> 401 with `{ error: "unauthorized" }`.
33
+ * - Failed verification -> 401 with `{ error: "invalid_token", reason }`
34
+ * where `reason` is one of the discriminated `AuthErrorReason` values.
35
+ *
36
+ * Success: sets `req.user` (legacy shape) and `req.principal` (typed union),
37
+ * then calls `next()`.
38
+ */
39
+ export declare const authMiddleware: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
14
40
  export {};
15
41
  //# sourceMappingURL=auth.d.ts.map
package/esm/middleware/auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAY,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C,8EAA8E;AAC9E,UAAU,QAAS,SAAQ,UAAU;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;CAC1B;AAED,eAAO,MAAM,cAAc,GACzB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,8CAqCnB,CAAC"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAGL,KAAK,gBAAgB,EACtB,MAAM,wBAAwB,CAAC;AAGhC;;;;;;GAMG;AACH,UAAU,QAAS,SAAQ,UAAU;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IACzB;;;OAGG;IACH,SAAS,CAAC,EAAE,gBAAgB,CAAC;CAC9B;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,GACzB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,KACjB,IAsBF,CAAC"}
package/esm/middleware/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,GAAmB,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAczC,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,GAAyB,EACzB,GAAa,EACb,IAAkB,EAClB,EAAE;IACF,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAC5C,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;QACnC,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CACT,sEAAsE,CACvE,CAAC;QACF,GAAG,CAAC,IAAI,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QACzC,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC;QACH,yDAAyD;QACzD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACtD,IAAI,eAAe,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YACjD,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YAC7C,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;QACrB,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAChB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,8CAA8C,YAAY,EAAE,CAAC,CAAC;QAC1E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC"}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/middleware/auth.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,kBAAkB,EAClB,SAAS,GAEV,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAyBzC;;;;GAIG;AACH,SAAS,eAAe,CAAC,SAA2B;IAClD,QAAQ,SAAS,CAAC,IAAI,EAAE,CAAC;QACvB,KAAK,QAAQ;YACX,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QAChE,KAAK,OAAO;YACV,OAAO;gBACL,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,IAAI,EAAE,OAAO;gBACb,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACtD,CAAC;QACJ,KAAK,MAAM;YACT,OAAO;gBACL,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,IAAI,EACF,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;oBACzC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;oBAClB,MAAM;gBACR,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACtD,CAAC;IACN,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAC5B,GAAyB,EACzB,GAAa,EACb,IAAkB,EACZ,EAAE;IACR,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAC5C,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,kBAAkB,CAAC,KAAK,CAAC;SACtB,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QAClB,GAAG,CAAC,SAAS,GAAG,SAAS,CAAC;QAC1B,GAAG,CAAC,IAAI,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,CAAU,EAAE,EAAE;QACpB,MAAM,MAAM,GAAG,CAAC,YAAY,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACpE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;AACP,CAAC,CAAC"}
package/esm/middleware/auth.mjs CHANGED
@@ -1,37 +1,63 @@
1
- import jwt from 'jsonwebtoken';
2
- import { jwtSecret } from '../config/jwtConfig.mjs';
1
+ import { verifyBackendToken, AuthError, } from '../auth/token-verifier.mjs';
3
2
  import { logger } from '../utils/logger.mjs';
3
+ /**
4
+ * Map a verified `BackendPrincipal` to the legacy `req.user` shape used by
5
+ * existing middleware (audit-logger, authorization checks). New consumers
6
+ * should read `req.principal` directly for the typed union.
7
+ */
8
+ function principalToUser(principal) {
9
+ switch (principal.kind) {
10
+ case 'server':
11
+ return { sub: 'server', name: 'Server Auth', role: 'server' };
12
+ case 'admin':
13
+ return {
14
+ sub: principal.sub,
15
+ role: 'admin',
16
+ ...(principal.email ? { name: principal.email } : {}),
17
+ };
18
+ case 'user':
19
+ return {
20
+ sub: principal.sub,
21
+ role: principal.roles.find((r) => r !== 'user') ??
22
+ principal.roles[0] ??
23
+ 'user',
24
+ ...(principal.email ? { name: principal.email } : {}),
25
+ };
26
+ }
27
+ }
28
+ /**
29
+ * Express middleware that establishes the verified principal from the
30
+ * `Authorization: Bearer …` header. Replaces the historical implementation
31
+ * that prefix-matched `ya29.` and accepted any string as a Google OAuth
32
+ * principal without verification.
33
+ *
34
+ * Failure modes:
35
+ * - Missing `Authorization` header -> 401 with `{ error: "unauthorized" }`.
36
+ * - Failed verification -> 401 with `{ error: "invalid_token", reason }`
37
+ * where `reason` is one of the discriminated `AuthErrorReason` values.
38
+ *
39
+ * Success: sets `req.user` (legacy shape) and `req.principal` (typed union),
40
+ * then calls `next()`.
41
+ */
4
42
  export const authMiddleware = (req, res, next) => {
5
43
  const authHeader = req.header('Authorization') || '';
6
44
  const token = authHeader.startsWith('Bearer ')
7
- ? authHeader.replace('Bearer ', '')
45
+ ? authHeader.slice('Bearer '.length).trim()
8
46
  : '';
9
47
  if (!token) {
10
- return res.status(401).send({ error: 'Unauthorized' });
11
- }
12
- // Handle Google OAuth tokens
13
- if (token.startsWith('ya29.')) {
14
- logger.info('Detected Google OAuth token in middleware, skipping JWT verification');
15
- req.user = { provider: 'google', token };
16
- return next();
48
+ res.status(401).json({ error: 'unauthorized' });
49
+ return;
17
50
  }
18
- // Handle regular JWT tokens
19
- try {
20
- // Check for server-to-server auth token from environment
21
- const serverAuthToken = process.env.SERVER_AUTH_TOKEN;
22
- if (serverAuthToken && token === serverAuthToken) {
23
- req.user = { sub: 'server', name: 'Server Auth', role: 'server' };
24
- }
25
- else {
26
- const decoded = jwt.verify(token, jwtSecret);
27
- req.user = decoded;
28
- }
51
+ verifyBackendToken(token)
52
+ .then((principal) => {
53
+ req.principal = principal;
54
+ req.user = principalToUser(principal);
29
55
  next();
30
- }
31
- catch (error) {
32
- const errorMessage = error instanceof Error ? error.message : 'Unknown error';
33
- logger.warn(`[Auth] Middleware JWT verification failed: ${errorMessage}`);
34
- res.status(401).send({ error: 'Unauthorized' });
35
- }
56
+ })
57
+ .catch((e) => {
58
+ const reason = e instanceof AuthError ? e.reason : 'bad_signature';
59
+ logger.warn('[auth] Express middleware rejected token', { reason });
60
+ res.status(401).json({ error: 'invalid_token', reason });
61
+ });
36
62
  };
37
63
  //# sourceMappingURL=auth.js.map
package/esm/middleware/rate-limiter.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../../src/middleware/rate-limiter.ts"],"names":[],"mappings":"AAAA,gHAAgH;AAsBhH;;;;;GAKG;AACH,SAAS,eAAe,CAAC,GAAY;IACnC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,4EAA4E;IAC5E,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,iBAAiB,CAAC,MAAuB;IAChD,MAAM,KAAK,GAAmB,EAAE,CAAC;IAEjC,wCAAwC;IACxC,WAAW,CAAC,GAAG,EAAE;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACjC,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC/B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,EAAE,KAAK,CAAC,CAAC;IAEV,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,UAAU,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,IAAI,SAAS,CAAC;QACvE,MAAM,aAAa,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,YAAY,GAAG,aAAa;YAChC,CAAC,CAAC,MAAM,CAAC,gBAAgB;YACzB,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC9B,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YACxD,KAAK,CAAC,QAAQ,CAAC,GAAG;gBAChB,KAAK,EAAE,CAAC;gBACR,SAAS,EAAE,GAAG,GAAG,MAAM,CAAC,QAAQ;aACjC,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAC7B,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAEjE,yBAAyB;QACzB,IAAI,MAAM,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;YACrC,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC5D,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7D,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,GAAG,YAAY,EAAE,CAAC;YACjC,oEAAoE;YACpE,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;IAClD,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;IACvC,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,EAAE,EAAE,CAAC;IACpE,kBAAkB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,KAAK,EAAE,EAAE,CAAC;IAC5E,eAAe,EAAE,IAAI;IACrB,aAAa,EAAE,KAAK;IACpB,OAAO,EAAE;QACP,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;KACpE;CACF,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,CAAC;IAC/C,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;IACvC,gBAAgB,EAAE,EAAE;IACpB,kBAAkB,EAAE,EAAE;IACtB,eAAe,EAAE,IAAI;IACrB,aAAa,EAAE,KAAK;IACpB,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC,EAAE;CACxE,CAAC,CAAC"}
1
+ {"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../../src/middleware/rate-limiter.ts"],"names":[],"mappings":"AAAA,gHAAgH;AAsBhH;;;;;GAKG;AACH,SAAS,eAAe,CAAC,GAAY;IACnC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,2EAA2E;IAC3E,0EAA0E;IAC1E,wEAAwE;IACxE,mEAAmE;IACnE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,iBAAiB,CAAC,MAAuB;IAChD,MAAM,KAAK,GAAmB,EAAE,CAAC;IAEjC,wCAAwC;IACxC,WAAW,CAAC,GAAG,EAAE;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACjC,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC/B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,EAAE,KAAK,CAAC,CAAC;IAEV,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,UAAU,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,IAAI,SAAS,CAAC;QACvE,MAAM,aAAa,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,YAAY,GAAG,aAAa;YAChC,CAAC,CAAC,MAAM,CAAC,gBAAgB;YACzB,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAC9B,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YACxD,KAAK,CAAC,QAAQ,CAAC,GAAG;gBAChB,KAAK,EAAE,CAAC;gBACR,SAAS,EAAE,GAAG,GAAG,MAAM,CAAC,QAAQ;aACjC,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAC7B,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAEjE,yBAAyB;QACzB,IAAI,MAAM,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;YACrC,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC5D,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7D,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,GAAG,YAAY,EAAE,CAAC;YACjC,oEAAoE;YACpE,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACrC,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;IAClD,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;IACvC,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,EAAE,EAAE,CAAC;IACpE,kBAAkB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,KAAK,EAAE,EAAE,CAAC;IAC5E,eAAe,EAAE,IAAI;IACrB,aAAa,EAAE,KAAK;IACpB,OAAO,EAAE;QACP,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;KACpE;CACF,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,CAAC;IAC/C,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;IACvC,gBAAgB,EAAE,EAAE;IACpB,kBAAkB,EAAE,EAAE;IACtB,eAAe,EAAE,IAAI;IACrB,aAAa,EAAE,KAAK;IACpB,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC,EAAE;CACxE,CAAC,CAAC"}
package/esm/middleware/rate-limiter.mjs CHANGED
@@ -11,10 +11,10 @@ function isAuthenticated(req) {
11
11
  return false;
12
12
  }
13
13
  const token = authHeader.slice(7);
14
- // Google OAuth tokens (ya29.) and JWTs (three dot-separated segments) count
15
- if (token.startsWith('ya29.')) {
16
- return true;
17
- }
14
+ // Only count 3-segment JWT-shaped tokens as "authenticated" for rate-limit
15
+ // tiering. Opaque OAuth access tokens (e.g. `ya29.…`) are rejected by the
16
+ // verifier downstream — treating them as authenticated here would let a
17
+ // caller spamming opaque tokens enjoy the higher auth-tier limits.
18
18
  return token.split('.').length === 3;
19
19
  }
20
20
  /**
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@adaptic/backend-legacy",
3
- "version": "0.0.972",
3
+ "version": "0.0.974",
4
4
  "description": "Backend executable CRUD functions with dynamic variables construction, and type definitions for the Adaptic AI platform.",
5
5
  "type": "module",
6
6
  "types": "index.d.ts",
package/server.cjs CHANGED
@@ -44,6 +44,7 @@ const server_1 = require("@apollo/server");
44
44
  const express4_1 = require("@as-integrations/express4");
45
45
  const drainHttpServer_1 = require("@apollo/server/plugin/drainHttpServer");
46
46
  const type_graphql_1 = require("type-graphql");
47
+ const graphql_1 = require("graphql");
47
48
  const typegraphql_prisma_1 = require("./generated/typegraphql-prisma.cjs");
48
49
  const custom_1 = require("./resolvers/custom.cjs");
49
50
  const http_1 = require("http");
@@ -51,15 +52,44 @@ const cors_1 = __importDefault(require("cors"));
51
52
  const body_parser_1 = __importDefault(require("body-parser"));
52
53
  const ws_1 = require("ws");
53
54
  const ws_2 = require("graphql-ws/lib/use/ws");
54
- const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
55
55
  const auth_1 = require("./middleware/auth.cjs");
56
56
  const audit_logger_1 = require("./middleware/audit-logger.cjs");
57
- const jwtConfig_1 = require("./config/jwtConfig.cjs");
58
57
  const prismaClient_1 = __importStar(require("./prismaClient.cjs"));
59
58
  const health_1 = require("./health.cjs");
60
59
  const child_process_1 = require("child_process");
61
60
  const logger_1 = require("./utils/logger.cjs");
62
61
  const tracing_1 = require("./config/tracing.cjs");
62
+ const token_verifier_1 = require("./auth/token-verifier.cjs");
63
+ /**
64
+ * Adapt a verified `BackendPrincipal` to the legacy `user` context shape used
65
+ * by downstream resolvers and audit plugins (`{ sub, role, roles? }`).
66
+ *
67
+ * The server-kind principal is materialised as `{ sub: 'server', role: 'server' }`
68
+ * for compatibility with the historical `audit-logger` middleware that checks
69
+ * `context.user?.role === 'server'`.
70
+ */
71
+ function principalToUser(principal) {
72
+ var _a, _b;
73
+ switch (principal.kind) {
74
+ case 'server':
75
+ return { sub: 'server', name: 'Server Auth', role: 'server' };
76
+ case 'admin':
77
+ return {
78
+ sub: principal.sub,
79
+ role: 'admin',
80
+ // Preserve the email if Google or our JWT provided one.
81
+ ...(principal.email ? { name: principal.email } : {}),
82
+ };
83
+ case 'user':
84
+ // Surface the highest-privilege role string for legacy consumers that
85
+ // expect `role` to be a single value (default to "user").
86
+ return {
87
+ sub: principal.sub,
88
+ role: (_b = (_a = principal.roles.find((r) => r !== 'user')) !== null && _a !== void 0 ? _a : principal.roles[0]) !== null && _b !== void 0 ? _b : 'user',
89
+ ...(principal.email ? { name: principal.email } : {}),
90
+ };
91
+ }
92
+ }
63
93
  let dbUnreachableCount = 0;
64
94
  let lastRestartAttempt = 0;
65
95
  async function restartDatabase() {
@@ -91,6 +121,11 @@ async function restartDatabase() {
91
121
  });
92
122
  }
93
123
  const startServer = async () => {
124
+ // Boot-time invariant: in production, `GOOGLE_OAUTH_CLIENT_IDS` must be set.
125
+ // Without it, no Google ID token can be safely verified — and the verifier
126
+ // would surface a per-request `misconfigured` error indefinitely. Refuse to
127
+ // boot with broken identity configuration.
128
+ (0, token_verifier_1.assertGoogleAudienceConfiguredForProd)();
94
129
  const schema = await (0, type_graphql_1.buildSchema)({
95
130
  resolvers: [...typegraphql_prisma_1.resolvers, custom_1.OptionsGreeksHistoryCustomResolver],
96
131
  validate: false,
@@ -106,7 +141,7 @@ const startServer = async () => {
106
141
  (0, audit_logger_1.createAuditLogPlugin)(),
107
142
  ],
108
143
  formatError: (err) => {
109
- var _a;
144
+ var _a, _b;
110
145
  const message = err.message || '';
111
146
  // Demote known caller-handled / caller-side error patterns to lower
112
147
  // log levels so they don't pollute ERROR logs and trigger spurious
@@ -154,12 +189,25 @@ const startServer = async () => {
154
189
  // a successful query or a different error, we might reset:
155
190
  dbUnreachableCount = 0;
156
191
  }
192
+ // Surface the verifier's `reason` enum on UNAUTHENTICATED responses so
193
+ // operators (and the web app's network tab) can diagnose auth failures
194
+ // without grepping Railway logs. The reason is one of a finite set —
195
+ // `malformed | expired | bad_signature | bad_audience |
196
+ // opaque_access_token_rejected | misconfigured` — and carries no
197
+ // sensitive data (no token bytes, no claim values). Whitelisted to
198
+ // UNAUTHENTICATED so we do not accidentally leak a `reason` field
199
+ // attached to any other error class. See CORTEX-2026-05-12 auth-debug
200
+ // change log.
201
+ const code = ((_a = err.extensions) === null || _a === void 0 ? void 0 : _a.code) || 'INTERNAL_SERVER_ERROR';
202
+ const reasonValue = (_b = err.extensions) === null || _b === void 0 ? void 0 : _b.reason;
203
+ const includeReason = code === 'UNAUTHENTICATED' && typeof reasonValue === 'string';
157
204
  return {
158
205
  message: err.message,
159
206
  locations: err.locations,
160
207
  path: err.path,
161
208
  extensions: {
162
- code: ((_a = err.extensions) === null || _a === void 0 ? void 0 : _a.code) || 'INTERNAL_SERVER_ERROR',
209
+ code,
210
+ ...(includeReason ? { reason: reasonValue } : {}),
163
211
  },
164
212
  };
165
213
  },
@@ -207,54 +255,40 @@ const startServer = async () => {
207
255
  }
208
256
  // Extract token from Authorization header
209
257
  const authHeader = req.headers.authorization || '';
210
- // Only try to verify token if it's in proper Bearer format
211
258
  const token = authHeader.startsWith('Bearer ')
212
- ? authHeader.split(' ')[1]
259
+ ? authHeader.slice('Bearer '.length).trim()
213
260
  : '';
214
- let user = null;
215
- if (token) {
216
- // Check if token is a Google OAuth token (starts with ya29.)
217
- if (token.startsWith('ya29.')) {
218
- // For Google OAuth tokens, we should validate differently or pass them through
219
- // This is a temporary solution - ideally you should verify with Google's OAuth API
220
- user = { provider: 'google', token };
221
- }
222
- else {
223
- // Validate JWT format before attempting verification (must have 3 dot-separated parts)
224
- const tokenParts = token.split('.');
225
- if (tokenParts.length !== 3) {
226
- // Log only once per unique malformed token to avoid log spam
227
- const tokenPreview = token.length > 20 ? `${token.substring(0, 20)}...` : token;
228
- logger_1.logger.warn('Received malformed token (not a valid JWT format)', {
229
- tokenPreview,
230
- });
231
- // Continue without authentication - don't fail the request
232
- return {
233
- prisma: global.prisma,
234
- req,
235
- authError: 'Malformed token: expected JWT format (header.payload.signature)',
236
- };
237
- }
238
- // For regular JWT tokens, verify using the centralized secret
239
- try {
240
- // Check for server-to-server auth token from environment
241
- const serverAuthToken = process.env.SERVER_AUTH_TOKEN;
242
- if (serverAuthToken && token === serverAuthToken) {
243
- user = { sub: 'server', name: 'Server Auth', role: 'server' };
244
- }
245
- else {
246
- user = jsonwebtoken_1.default.verify(token, jwtConfig_1.jwtSecret);
247
- }
248
- }
249
- catch (e) {
250
- // Only log verification failures at warn level with minimal info
251
- const errorMessage = e instanceof Error ? e.message : 'Unknown error';
252
- logger_1.logger.warn('JWT verification failed', { errorMessage });
253
- return { prisma: global.prisma, req, authError: 'Invalid token' };
254
- }
255
- }
261
+ // When NO token is presented, fall through with `user: null`. The
262
+ // `AuthChecker` introduced in CORTEX-P0-001 will reject any operation
263
+ // that requires a principal; this contract preserves the current
264
+ // unauthenticated-public-query path until P0-001 lands.
265
+ if (!token) {
266
+ return { prisma: global.prisma, req, user: null };
267
+ }
268
+ // Verify the bearer token through the SINGLE typed entry point. There
269
+ // is no prefix shortcut (ya29.…), no parallel path, and no silent
270
+ // downgrade to an unverified principal on failure.
271
+ try {
272
+ const principal = await (0, token_verifier_1.verifyBackendToken)(token);
273
+ return {
274
+ prisma: global.prisma,
275
+ req,
276
+ user: principalToUser(principal),
277
+ };
278
+ }
279
+ catch (e) {
280
+ const reason = e instanceof token_verifier_1.AuthError ? e.reason : 'bad_signature';
281
+ logger_1.logger.warn('GraphQL HTTP auth rejected', { reason });
282
+ // Throw `UNAUTHENTICATED` so Apollo's HTTP transport returns a
283
+ // GraphQL-shaped error response. The `formatError` hook above
284
+ // preserves the `code` extension.
285
+ throw new graphql_1.GraphQLError('Unauthenticated', {
286
+ extensions: {
287
+ code: 'UNAUTHENTICATED',
288
+ reason,
289
+ },
290
+ });
256
291
  }
257
- return { prisma: global.prisma, req, user };
258
292
  },
259
293
  }));
260
294
  // Custom error handling middleware for express
@@ -282,38 +316,38 @@ const startServer = async () => {
282
316
  const authHeader = ((_a = ctx.connectionParams) === null || _a === void 0 ? void 0 : _a.authorization) ||
283
317
  '';
284
318
  const token = authHeader.startsWith('Bearer ')
285
- ? authHeader.split(' ')[1]
319
+ ? authHeader.slice('Bearer '.length).trim()
286
320
  : '';
287
- let user = null;
288
- if (token) {
289
- // Check if token is a Google OAuth token (starts with ya29.)
290
- if (token.startsWith('ya29.')) {
291
- // For Google OAuth tokens, we should validate differently or pass them through
292
- logger_1.logger.info('Detected Google OAuth token in WebSocket, skipping JWT verification');
293
- user = { provider: 'google', token };
294
- }
295
- else {
296
- // For regular JWT tokens, verify using the centralized secret
297
- try {
298
- // Check for server-to-server auth token from environment
299
- const serverAuthToken = process.env.SERVER_AUTH_TOKEN;
300
- if (serverAuthToken && token === serverAuthToken) {
301
- user = { sub: 'server', name: 'Server Auth', role: 'server' };
302
- }
303
- else {
304
- user = jsonwebtoken_1.default.verify(token, jwtConfig_1.jwtSecret);
305
- }
306
- }
307
- catch (e) {
308
- const errorMessage = e instanceof Error ? e.message : 'Unknown error';
309
- logger_1.logger.warn('WebSocket JWT verification failed', {
310
- errorMessage,
311
- });
312
- return { prisma: global.prisma, authError: 'Invalid token' };
313
- }
314
- }
321
+ // No token presented -> deliver a null-user context. The AuthChecker
322
+ // landing in CORTEX-P0-001 will reject any subscription that requires
323
+ // a principal. Until then, public subscriptions continue to work.
324
+ if (!token) {
325
+ return { prisma: global.prisma, user: null };
326
+ }
327
+ // Verify the bearer token via the single typed entry point.
328
+ // Any verification failure THROWS — graphql-ws closes the connection
329
+ // when the context callback throws, instead of silently downgrading
330
+ // to a degraded `authError` context that quietly delivered messages
331
+ // to an unauthenticated socket.
332
+ try {
333
+ const principal = await (0, token_verifier_1.verifyBackendToken)(token);
334
+ return {
335
+ prisma: global.prisma,
336
+ user: principalToUser(principal),
337
+ };
338
+ }
339
+ catch (e) {
340
+ const reason = e instanceof token_verifier_1.AuthError ? e.reason : 'bad_signature';
341
+ logger_1.logger.warn('WebSocket auth rejected — closing connection', {
342
+ reason,
343
+ });
344
+ throw new graphql_1.GraphQLError('Unauthenticated', {
345
+ extensions: {
346
+ code: 'UNAUTHENTICATED',
347
+ reason,
348
+ },
349
+ });
315
350
  }
316
- return { prisma: global.prisma, user };
317
351
  },
318
352
  }, wsServer);
319
353
  // Start the periodic database connection health monitor