@ainetwork/adk-provider-auth-google 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/chunk-HRHLJJ2F.js +147 -0
  2. package/dist/chunk-HRHLJJ2F.js.map +1 -0
  3. package/dist/implements/google.auth.cjs +181 -0
  4. package/dist/implements/google.auth.cjs.map +1 -0
  5. package/dist/implements/google.auth.d.cts +21 -0
  6. package/dist/implements/google.auth.d.ts +21 -0
  7. package/dist/implements/google.auth.js +7 -0
  8. package/dist/implements/google.auth.js.map +1 -0
  9. package/dist/index.cjs +183 -0
  10. package/dist/index.cjs.map +1 -0
  11. package/dist/index.d.cts +3 -0
  12. package/dist/index.d.ts +3 -0
  13. package/dist/index.js +7 -0
  14. package/dist/index.js.map +1 -0
  15. package/implements/google.auth.ts +208 -0
  16. package/index.ts +1 -0
  17. package/package.json +38 -0
  18. package/tsconfig.json +9 -0
  19. package/tsup.config.ts +9 -0
package/dist/chunk-HRHLJJ2F.js ADDED
@@ -0,0 +1,147 @@
1
+ // implements/google.auth.ts
2
+ import { BaseAuth } from "@ainetwork/adk/modules";
3
+ import jwt from "jsonwebtoken";
4
+ import jwksClient from "jwks-rsa";
5
+ var GOOGLE_ISSUERS = [
6
+ "https://accounts.google.com",
7
+ "accounts.google.com"
8
+ ];
9
+ var GoogleAuth = class extends BaseAuth {
10
+ constructor(config) {
11
+ super();
12
+ this.config = config;
13
+ this.jwksClient = jwksClient({
14
+ jwksUri: "https://www.googleapis.com/oauth2/v3/certs",
15
+ cache: true,
16
+ cacheMaxAge: 864e5,
17
+ // 24 hours
18
+ rateLimit: true,
19
+ jwksRequestsPerMinute: 10
20
+ });
21
+ }
22
+ jwksClient;
23
+ getSigningKey = (header, callback) => {
24
+ this.jwksClient.getSigningKey(header.kid, (err, key) => {
25
+ if (err) {
26
+ callback(err);
27
+ return;
28
+ }
29
+ const signingKey = key?.getPublicKey();
30
+ callback(null, signingKey);
31
+ });
32
+ };
33
+ verifyGoogleIdToken(token) {
34
+ return new Promise((resolve, reject) => {
35
+ jwt.verify(
36
+ token,
37
+ this.getSigningKey,
38
+ {
39
+ algorithms: ["RS256"],
40
+ audience: this.config.clientId,
41
+ issuer: GOOGLE_ISSUERS
42
+ },
43
+ (err, decoded) => {
44
+ if (err) {
45
+ reject(err);
46
+ return;
47
+ }
48
+ resolve(decoded);
49
+ }
50
+ );
51
+ });
52
+ }
53
+ async verifyGoogleAccessToken(token) {
54
+ const response = await fetch(
55
+ `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`
56
+ );
57
+ const data = await response.json();
58
+ if (data.error) {
59
+ throw new Error(data.error_description || data.error);
60
+ }
61
+ if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {
62
+ throw new Error("Token was not issued for this client");
63
+ }
64
+ return data;
65
+ }
66
+ verifyNextAuthToken(token) {
67
+ return new Promise((resolve, reject) => {
68
+ if (!this.config.nextAuthSecret) {
69
+ reject(new Error("NextAuth secret is required for NextAuth token verification"));
70
+ return;
71
+ }
72
+ jwt.verify(
73
+ token,
74
+ this.config.nextAuthSecret,
75
+ {
76
+ algorithms: ["HS256"]
77
+ },
78
+ (err, decoded) => {
79
+ if (err) {
80
+ reject(err);
81
+ return;
82
+ }
83
+ resolve(decoded);
84
+ }
85
+ );
86
+ });
87
+ }
88
+ isGoogleAccessToken(token) {
89
+ return token.startsWith("ya29.");
90
+ }
91
+ async authenticate(req, res) {
92
+ const token = this.extractBearerToken(req);
93
+ console.log(token);
94
+ if (!token) {
95
+ return { isAuthenticated: false };
96
+ }
97
+ try {
98
+ if (this.config.nextAuthSecret) {
99
+ try {
100
+ const payload2 = await this.verifyNextAuthToken(token);
101
+ if (payload2.sub) {
102
+ return {
103
+ isAuthenticated: true,
104
+ userId: payload2.sub
105
+ };
106
+ }
107
+ } catch {
108
+ }
109
+ }
110
+ if (this.isGoogleAccessToken(token)) {
111
+ const tokenInfo = await this.verifyGoogleAccessToken(token);
112
+ if (tokenInfo.sub) {
113
+ return {
114
+ isAuthenticated: true,
115
+ userId: tokenInfo.sub
116
+ };
117
+ }
118
+ console.error("Google auth verification failed: Token does not contain sub claim");
119
+ return { isAuthenticated: false };
120
+ }
121
+ const payload = await this.verifyGoogleIdToken(token);
122
+ if (!payload.sub) {
123
+ console.error("Google auth verification failed: Token does not contain sub claim");
124
+ return { isAuthenticated: false };
125
+ }
126
+ return {
127
+ isAuthenticated: true,
128
+ userId: payload.sub
129
+ };
130
+ } catch (err) {
131
+ console.error("Google auth verification failed:", err.message);
132
+ return { isAuthenticated: false };
133
+ }
134
+ }
135
+ extractBearerToken(req) {
136
+ const authHeader = req.headers.authorization;
137
+ if (!authHeader?.startsWith("Bearer ")) {
138
+ return null;
139
+ }
140
+ return authHeader.substring(7);
141
+ }
142
+ };
143
+
144
+ export {
145
+ GoogleAuth
146
+ };
147
+ //# sourceMappingURL=chunk-HRHLJJ2F.js.map
package/dist/chunk-HRHLJJ2F.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../implements/google.auth.ts"],"sourcesContent":["import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n console.log(token);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";AAAA,SAAS,gBAAgB;AAGzB,OAAO,SAA4C;AACnD,OAAO,gBAAgB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,SAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,aAAa,WAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,UAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,YAAQ,IAAI,KAAK;AACjB,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMA,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["payload"]}
package/dist/implements/google.auth.cjs ADDED
@@ -0,0 +1,181 @@
1
+ "use strict";
2
+ var __create = Object.create;
3
+ var __defProp = Object.defineProperty;
4
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
+ var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
8
+ var __export = (target, all) => {
9
+ for (var name in all)
10
+ __defProp(target, name, { get: all[name], enumerable: true });
11
+ };
12
+ var __copyProps = (to, from, except, desc) => {
13
+ if (from && typeof from === "object" || typeof from === "function") {
14
+ for (let key of __getOwnPropNames(from))
15
+ if (!__hasOwnProp.call(to, key) && key !== except)
16
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
17
+ }
18
+ return to;
19
+ };
20
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
+ // If the importer is in node compatibility mode or this is not an ESM
22
+ // file that has been converted to a CommonJS file using a Babel-
23
+ // compatible transform (i.e. "__esModule" has not been set), then set
24
+ // "default" to the CommonJS "module.exports" for node compatibility.
25
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
+ mod
27
+ ));
28
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
+
30
+ // implements/google.auth.ts
31
+ var google_auth_exports = {};
32
+ __export(google_auth_exports, {
33
+ GoogleAuth: () => GoogleAuth
34
+ });
35
+ module.exports = __toCommonJS(google_auth_exports);
36
+ var import_modules = require("@ainetwork/adk/modules");
37
+ var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
38
+ var import_jwks_rsa = __toESM(require("jwks-rsa"), 1);
39
+ var GOOGLE_ISSUERS = [
40
+ "https://accounts.google.com",
41
+ "accounts.google.com"
42
+ ];
43
+ var GoogleAuth = class extends import_modules.BaseAuth {
44
+ constructor(config) {
45
+ super();
46
+ this.config = config;
47
+ this.jwksClient = (0, import_jwks_rsa.default)({
48
+ jwksUri: "https://www.googleapis.com/oauth2/v3/certs",
49
+ cache: true,
50
+ cacheMaxAge: 864e5,
51
+ // 24 hours
52
+ rateLimit: true,
53
+ jwksRequestsPerMinute: 10
54
+ });
55
+ }
56
+ jwksClient;
57
+ getSigningKey = (header, callback) => {
58
+ this.jwksClient.getSigningKey(header.kid, (err, key) => {
59
+ if (err) {
60
+ callback(err);
61
+ return;
62
+ }
63
+ const signingKey = key?.getPublicKey();
64
+ callback(null, signingKey);
65
+ });
66
+ };
67
+ verifyGoogleIdToken(token) {
68
+ return new Promise((resolve, reject) => {
69
+ import_jsonwebtoken.default.verify(
70
+ token,
71
+ this.getSigningKey,
72
+ {
73
+ algorithms: ["RS256"],
74
+ audience: this.config.clientId,
75
+ issuer: GOOGLE_ISSUERS
76
+ },
77
+ (err, decoded) => {
78
+ if (err) {
79
+ reject(err);
80
+ return;
81
+ }
82
+ resolve(decoded);
83
+ }
84
+ );
85
+ });
86
+ }
87
+ async verifyGoogleAccessToken(token) {
88
+ const response = await fetch(
89
+ `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`
90
+ );
91
+ const data = await response.json();
92
+ if (data.error) {
93
+ throw new Error(data.error_description || data.error);
94
+ }
95
+ if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {
96
+ throw new Error("Token was not issued for this client");
97
+ }
98
+ return data;
99
+ }
100
+ verifyNextAuthToken(token) {
101
+ return new Promise((resolve, reject) => {
102
+ if (!this.config.nextAuthSecret) {
103
+ reject(new Error("NextAuth secret is required for NextAuth token verification"));
104
+ return;
105
+ }
106
+ import_jsonwebtoken.default.verify(
107
+ token,
108
+ this.config.nextAuthSecret,
109
+ {
110
+ algorithms: ["HS256"]
111
+ },
112
+ (err, decoded) => {
113
+ if (err) {
114
+ reject(err);
115
+ return;
116
+ }
117
+ resolve(decoded);
118
+ }
119
+ );
120
+ });
121
+ }
122
+ isGoogleAccessToken(token) {
123
+ return token.startsWith("ya29.");
124
+ }
125
+ async authenticate(req, res) {
126
+ const token = this.extractBearerToken(req);
127
+ console.log(token);
128
+ if (!token) {
129
+ return { isAuthenticated: false };
130
+ }
131
+ try {
132
+ if (this.config.nextAuthSecret) {
133
+ try {
134
+ const payload2 = await this.verifyNextAuthToken(token);
135
+ if (payload2.sub) {
136
+ return {
137
+ isAuthenticated: true,
138
+ userId: payload2.sub
139
+ };
140
+ }
141
+ } catch {
142
+ }
143
+ }
144
+ if (this.isGoogleAccessToken(token)) {
145
+ const tokenInfo = await this.verifyGoogleAccessToken(token);
146
+ if (tokenInfo.sub) {
147
+ return {
148
+ isAuthenticated: true,
149
+ userId: tokenInfo.sub
150
+ };
151
+ }
152
+ console.error("Google auth verification failed: Token does not contain sub claim");
153
+ return { isAuthenticated: false };
154
+ }
155
+ const payload = await this.verifyGoogleIdToken(token);
156
+ if (!payload.sub) {
157
+ console.error("Google auth verification failed: Token does not contain sub claim");
158
+ return { isAuthenticated: false };
159
+ }
160
+ return {
161
+ isAuthenticated: true,
162
+ userId: payload.sub
163
+ };
164
+ } catch (err) {
165
+ console.error("Google auth verification failed:", err.message);
166
+ return { isAuthenticated: false };
167
+ }
168
+ }
169
+ extractBearerToken(req) {
170
+ const authHeader = req.headers.authorization;
171
+ if (!authHeader?.startsWith("Bearer ")) {
172
+ return null;
173
+ }
174
+ return authHeader.substring(7);
175
+ }
176
+ };
177
+ // Annotate the CommonJS export names for ESM import in node:
178
+ 0 && (module.exports = {
179
+ GoogleAuth
180
+ });
181
+ //# sourceMappingURL=google.auth.cjs.map
package/dist/implements/google.auth.cjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../implements/google.auth.ts"],"sourcesContent":["import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n console.log(token);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAyB;AAGzB,0BAAmD;AACnD,sBAAuB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,wBAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,iBAAa,gBAAAA,SAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,0BAAAC,QAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,0BAAAA,QAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,YAAQ,IAAI,KAAK;AACjB,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMC,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["jwksClient","jwt","payload"]}
package/dist/implements/google.auth.d.cts ADDED
@@ -0,0 +1,21 @@
1
+ import { BaseAuth } from '@ainetwork/adk/modules';
2
+ import { AuthResponse } from '@ainetwork/adk/types/auth';
3
+
4
+ interface GoogleAuthConfig {
5
+ clientId: string;
6
+ nextAuthSecret?: string;
7
+ }
8
+ declare class GoogleAuth extends BaseAuth {
9
+ private readonly config;
10
+ private readonly jwksClient;
11
+ constructor(config: GoogleAuthConfig);
12
+ private getSigningKey;
13
+ private verifyGoogleIdToken;
14
+ private verifyGoogleAccessToken;
15
+ private verifyNextAuthToken;
16
+ private isGoogleAccessToken;
17
+ authenticate(req: any, res: any): Promise<AuthResponse>;
18
+ private extractBearerToken;
19
+ }
20
+
21
+ export { GoogleAuth, type GoogleAuthConfig };
package/dist/implements/google.auth.d.ts ADDED
@@ -0,0 +1,21 @@
1
+ import { BaseAuth } from '@ainetwork/adk/modules';
2
+ import { AuthResponse } from '@ainetwork/adk/types/auth';
3
+
4
+ interface GoogleAuthConfig {
5
+ clientId: string;
6
+ nextAuthSecret?: string;
7
+ }
8
+ declare class GoogleAuth extends BaseAuth {
9
+ private readonly config;
10
+ private readonly jwksClient;
11
+ constructor(config: GoogleAuthConfig);
12
+ private getSigningKey;
13
+ private verifyGoogleIdToken;
14
+ private verifyGoogleAccessToken;
15
+ private verifyNextAuthToken;
16
+ private isGoogleAccessToken;
17
+ authenticate(req: any, res: any): Promise<AuthResponse>;
18
+ private extractBearerToken;
19
+ }
20
+
21
+ export { GoogleAuth, type GoogleAuthConfig };
package/dist/implements/google.auth.js ADDED
@@ -0,0 +1,7 @@
1
+ import {
2
+ GoogleAuth
3
+ } from "../chunk-HRHLJJ2F.js";
4
+ export {
5
+ GoogleAuth
6
+ };
7
+ //# sourceMappingURL=google.auth.js.map
package/dist/implements/google.auth.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
package/dist/index.cjs ADDED
@@ -0,0 +1,183 @@
1
+ "use strict";
2
+ var __create = Object.create;
3
+ var __defProp = Object.defineProperty;
4
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
+ var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
8
+ var __export = (target, all) => {
9
+ for (var name in all)
10
+ __defProp(target, name, { get: all[name], enumerable: true });
11
+ };
12
+ var __copyProps = (to, from, except, desc) => {
13
+ if (from && typeof from === "object" || typeof from === "function") {
14
+ for (let key of __getOwnPropNames(from))
15
+ if (!__hasOwnProp.call(to, key) && key !== except)
16
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
17
+ }
18
+ return to;
19
+ };
20
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
+ // If the importer is in node compatibility mode or this is not an ESM
22
+ // file that has been converted to a CommonJS file using a Babel-
23
+ // compatible transform (i.e. "__esModule" has not been set), then set
24
+ // "default" to the CommonJS "module.exports" for node compatibility.
25
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
+ mod
27
+ ));
28
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
+
30
+ // index.ts
31
+ var index_exports = {};
32
+ __export(index_exports, {
33
+ GoogleAuth: () => GoogleAuth
34
+ });
35
+ module.exports = __toCommonJS(index_exports);
36
+
37
+ // implements/google.auth.ts
38
+ var import_modules = require("@ainetwork/adk/modules");
39
+ var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
40
+ var import_jwks_rsa = __toESM(require("jwks-rsa"), 1);
41
+ var GOOGLE_ISSUERS = [
42
+ "https://accounts.google.com",
43
+ "accounts.google.com"
44
+ ];
45
+ var GoogleAuth = class extends import_modules.BaseAuth {
46
+ constructor(config) {
47
+ super();
48
+ this.config = config;
49
+ this.jwksClient = (0, import_jwks_rsa.default)({
50
+ jwksUri: "https://www.googleapis.com/oauth2/v3/certs",
51
+ cache: true,
52
+ cacheMaxAge: 864e5,
53
+ // 24 hours
54
+ rateLimit: true,
55
+ jwksRequestsPerMinute: 10
56
+ });
57
+ }
58
+ jwksClient;
59
+ getSigningKey = (header, callback) => {
60
+ this.jwksClient.getSigningKey(header.kid, (err, key) => {
61
+ if (err) {
62
+ callback(err);
63
+ return;
64
+ }
65
+ const signingKey = key?.getPublicKey();
66
+ callback(null, signingKey);
67
+ });
68
+ };
69
+ verifyGoogleIdToken(token) {
70
+ return new Promise((resolve, reject) => {
71
+ import_jsonwebtoken.default.verify(
72
+ token,
73
+ this.getSigningKey,
74
+ {
75
+ algorithms: ["RS256"],
76
+ audience: this.config.clientId,
77
+ issuer: GOOGLE_ISSUERS
78
+ },
79
+ (err, decoded) => {
80
+ if (err) {
81
+ reject(err);
82
+ return;
83
+ }
84
+ resolve(decoded);
85
+ }
86
+ );
87
+ });
88
+ }
89
+ async verifyGoogleAccessToken(token) {
90
+ const response = await fetch(
91
+ `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`
92
+ );
93
+ const data = await response.json();
94
+ if (data.error) {
95
+ throw new Error(data.error_description || data.error);
96
+ }
97
+ if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {
98
+ throw new Error("Token was not issued for this client");
99
+ }
100
+ return data;
101
+ }
102
+ verifyNextAuthToken(token) {
103
+ return new Promise((resolve, reject) => {
104
+ if (!this.config.nextAuthSecret) {
105
+ reject(new Error("NextAuth secret is required for NextAuth token verification"));
106
+ return;
107
+ }
108
+ import_jsonwebtoken.default.verify(
109
+ token,
110
+ this.config.nextAuthSecret,
111
+ {
112
+ algorithms: ["HS256"]
113
+ },
114
+ (err, decoded) => {
115
+ if (err) {
116
+ reject(err);
117
+ return;
118
+ }
119
+ resolve(decoded);
120
+ }
121
+ );
122
+ });
123
+ }
124
+ isGoogleAccessToken(token) {
125
+ return token.startsWith("ya29.");
126
+ }
127
+ async authenticate(req, res) {
128
+ const token = this.extractBearerToken(req);
129
+ console.log(token);
130
+ if (!token) {
131
+ return { isAuthenticated: false };
132
+ }
133
+ try {
134
+ if (this.config.nextAuthSecret) {
135
+ try {
136
+ const payload2 = await this.verifyNextAuthToken(token);
137
+ if (payload2.sub) {
138
+ return {
139
+ isAuthenticated: true,
140
+ userId: payload2.sub
141
+ };
142
+ }
143
+ } catch {
144
+ }
145
+ }
146
+ if (this.isGoogleAccessToken(token)) {
147
+ const tokenInfo = await this.verifyGoogleAccessToken(token);
148
+ if (tokenInfo.sub) {
149
+ return {
150
+ isAuthenticated: true,
151
+ userId: tokenInfo.sub
152
+ };
153
+ }
154
+ console.error("Google auth verification failed: Token does not contain sub claim");
155
+ return { isAuthenticated: false };
156
+ }
157
+ const payload = await this.verifyGoogleIdToken(token);
158
+ if (!payload.sub) {
159
+ console.error("Google auth verification failed: Token does not contain sub claim");
160
+ return { isAuthenticated: false };
161
+ }
162
+ return {
163
+ isAuthenticated: true,
164
+ userId: payload.sub
165
+ };
166
+ } catch (err) {
167
+ console.error("Google auth verification failed:", err.message);
168
+ return { isAuthenticated: false };
169
+ }
170
+ }
171
+ extractBearerToken(req) {
172
+ const authHeader = req.headers.authorization;
173
+ if (!authHeader?.startsWith("Bearer ")) {
174
+ return null;
175
+ }
176
+ return authHeader.substring(7);
177
+ }
178
+ };
179
+ // Annotate the CommonJS export names for ESM import in node:
180
+ 0 && (module.exports = {
181
+ GoogleAuth
182
+ });
183
+ //# sourceMappingURL=index.cjs.map
package/dist/index.cjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../index.ts","../implements/google.auth.ts"],"sourcesContent":["export { GoogleAuth, type GoogleAuthConfig } from \"./implements/google.auth\";\n","import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n console.log(token);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,qBAAyB;AAGzB,0BAAmD;AACnD,sBAAuB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,wBAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,iBAAa,gBAAAA,SAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,0BAAAC,QAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,0BAAAA,QAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,YAAQ,IAAI,KAAK;AACjB,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMC,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["jwksClient","jwt","payload"]}
package/dist/index.d.cts ADDED
@@ -0,0 +1,3 @@
1
+ export { GoogleAuth, GoogleAuthConfig } from './implements/google.auth.cjs';
2
+ import '@ainetwork/adk/modules';
3
+ import '@ainetwork/adk/types/auth';
package/dist/index.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ export { GoogleAuth, GoogleAuthConfig } from './implements/google.auth.js';
2
+ import '@ainetwork/adk/modules';
3
+ import '@ainetwork/adk/types/auth';
package/dist/index.js ADDED
@@ -0,0 +1,7 @@
1
+ import {
2
+ GoogleAuth
3
+ } from "./chunk-HRHLJJ2F.js";
4
+ export {
5
+ GoogleAuth
6
+ };
7
+ //# sourceMappingURL=index.js.map
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
package/implements/google.auth.ts ADDED
@@ -0,0 +1,208 @@
1
+ import { BaseAuth } from "@ainetwork/adk/modules";
2
+ import { AuthResponse } from "@ainetwork/adk/types/auth";
3
+ import type { Request } from "express";
4
+ import jwt, { JwtHeader, SigningKeyCallback } from "jsonwebtoken";
5
+ import jwksClient from "jwks-rsa";
6
+
7
+ export interface GoogleAuthConfig {
8
+ clientId: string;
9
+ nextAuthSecret?: string;
10
+ }
11
+
12
+ interface GoogleTokenPayload {
13
+ aud: string;
14
+ iss: string;
15
+ iat: number;
16
+ exp: number;
17
+ sub: string;
18
+ email?: string;
19
+ email_verified?: boolean;
20
+ name?: string;
21
+ picture?: string;
22
+ azp?: string;
23
+ }
24
+
25
+ interface GoogleTokenInfoResponse {
26
+ azp: string;
27
+ aud: string;
28
+ sub: string;
29
+ scope: string;
30
+ exp: string;
31
+ expires_in: string;
32
+ email?: string;
33
+ email_verified?: string;
34
+ access_type?: string;
35
+ error?: string;
36
+ error_description?: string;
37
+ }
38
+
39
+ interface NextAuthJWTPayload {
40
+ name?: string;
41
+ email?: string;
42
+ picture?: string;
43
+ sub: string;
44
+ iat: number;
45
+ exp: number;
46
+ jti?: string;
47
+ }
48
+
49
+ const GOOGLE_ISSUERS: [string, ...string[]] = [
50
+ "https://accounts.google.com",
51
+ "accounts.google.com",
52
+ ];
53
+
54
+ export class GoogleAuth extends BaseAuth {
55
+ private readonly jwksClient: jwksClient.JwksClient;
56
+
57
+ constructor(private readonly config: GoogleAuthConfig) {
58
+ super();
59
+
60
+ this.jwksClient = jwksClient({
61
+ jwksUri: "https://www.googleapis.com/oauth2/v3/certs",
62
+ cache: true,
63
+ cacheMaxAge: 86400000, // 24 hours
64
+ rateLimit: true,
65
+ jwksRequestsPerMinute: 10,
66
+ });
67
+ }
68
+
69
+ private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {
70
+ this.jwksClient.getSigningKey(header.kid, (err, key) => {
71
+ if (err) {
72
+ callback(err);
73
+ return;
74
+ }
75
+ const signingKey = key?.getPublicKey();
76
+ callback(null, signingKey);
77
+ });
78
+ };
79
+
80
+ private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {
81
+ return new Promise((resolve, reject) => {
82
+ jwt.verify(
83
+ token,
84
+ this.getSigningKey,
85
+ {
86
+ algorithms: ["RS256"],
87
+ audience: this.config.clientId,
88
+ issuer: GOOGLE_ISSUERS,
89
+ },
90
+ (err: Error | null, decoded: unknown) => {
91
+ if (err) {
92
+ reject(err);
93
+ return;
94
+ }
95
+ resolve(decoded as GoogleTokenPayload);
96
+ }
97
+ );
98
+ });
99
+ }
100
+
101
+ private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {
102
+ const response = await fetch(
103
+ `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`
104
+ );
105
+
106
+ const data = await response.json() as GoogleTokenInfoResponse;
107
+
108
+ if (data.error) {
109
+ throw new Error(data.error_description || data.error);
110
+ }
111
+
112
+ // Verify the token is for our client
113
+ if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {
114
+ throw new Error("Token was not issued for this client");
115
+ }
116
+
117
+ return data;
118
+ }
119
+
120
+ private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {
121
+ return new Promise((resolve, reject) => {
122
+ if (!this.config.nextAuthSecret) {
123
+ reject(new Error("NextAuth secret is required for NextAuth token verification"));
124
+ return;
125
+ }
126
+
127
+ jwt.verify(
128
+ token,
129
+ this.config.nextAuthSecret,
130
+ {
131
+ algorithms: ["HS256"],
132
+ },
133
+ (err, decoded) => {
134
+ if (err) {
135
+ reject(err);
136
+ return;
137
+ }
138
+ resolve(decoded as NextAuthJWTPayload);
139
+ }
140
+ );
141
+ });
142
+ }
143
+
144
+ private isGoogleAccessToken(token: string): boolean {
145
+ return token.startsWith("ya29.");
146
+ }
147
+
148
+ public async authenticate(req: any, res: any): Promise<AuthResponse> {
149
+ const token = this.extractBearerToken(req);
150
+ if (!token) {
151
+ return { isAuthenticated: false };
152
+ }
153
+
154
+ try {
155
+ // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)
156
+ if (this.config.nextAuthSecret) {
157
+ try {
158
+ const payload = await this.verifyNextAuthToken(token);
159
+ if (payload.sub) {
160
+ return {
161
+ isAuthenticated: true,
162
+ userId: payload.sub,
163
+ };
164
+ }
165
+ } catch {
166
+ // If NextAuth verification fails, try other methods
167
+ }
168
+ }
169
+
170
+ // Check if it's a Google Access Token (starts with "ya29.")
171
+ if (this.isGoogleAccessToken(token)) {
172
+ const tokenInfo = await this.verifyGoogleAccessToken(token);
173
+ if (tokenInfo.sub) {
174
+ return {
175
+ isAuthenticated: true,
176
+ userId: tokenInfo.sub,
177
+ };
178
+ }
179
+ console.error("Google auth verification failed: Token does not contain sub claim");
180
+ return { isAuthenticated: false };
181
+ }
182
+
183
+ // Try to verify as Google ID token (JWT)
184
+ const payload = await this.verifyGoogleIdToken(token);
185
+
186
+ if (!payload.sub) {
187
+ console.error("Google auth verification failed: Token does not contain sub claim");
188
+ return { isAuthenticated: false };
189
+ }
190
+
191
+ return {
192
+ isAuthenticated: true,
193
+ userId: payload.sub,
194
+ };
195
+ } catch (err) {
196
+ console.error("Google auth verification failed:", (err as Error).message);
197
+ return { isAuthenticated: false };
198
+ }
199
+ }
200
+
201
+ private extractBearerToken(req: Request): string | null {
202
+ const authHeader = req.headers.authorization;
203
+ if (!authHeader?.startsWith("Bearer ")) {
204
+ return null;
205
+ }
206
+ return authHeader.substring(7);
207
+ }
208
+ }
package/index.ts ADDED
@@ -0,0 +1 @@
1
+ export { GoogleAuth, type GoogleAuthConfig } from "./implements/google.auth";
package/package.json ADDED
@@ -0,0 +1,38 @@
1
+ {
2
+ "name": "@ainetwork/adk-provider-auth-google",
3
+ "version": "0.3.0",
4
+ "author": "AI Network (https://ainetwork.ai)",
5
+ "type": "module",
6
+ "engines": {
7
+ "node": ">=20"
8
+ },
9
+ "main": "./dist/index.cjs",
10
+ "module": "./dist/index.js",
11
+ "types": "./dist/index.d.ts",
12
+ "exports": {
13
+ ".": {
14
+ "types": "./dist/index.d.ts",
15
+ "import": "./dist/index.js",
16
+ "require": "./dist/index.cjs"
17
+ }
18
+ },
19
+ "scripts": {
20
+ "build": "tsup",
21
+ "clean": "rm -rf dist"
22
+ },
23
+ "dependencies": {
24
+ "@ainetwork/adk": "^0.3.0",
25
+ "jsonwebtoken": "^9.0.2",
26
+ "jwks-rsa": "^3.1.0"
27
+ },
28
+ "devDependencies": {
29
+ "@types/express": "^4.17.21",
30
+ "@types/jsonwebtoken": "^9.0.7",
31
+ "typescript": "^5.0.0"
32
+ },
33
+ "license": "MIT",
34
+ "publishConfig": {
35
+ "access": "public"
36
+ },
37
+ "gitHead": "741d325b4e2de45b8fe45e11d6a525d6467f5ab6"
38
+ }
package/tsconfig.json ADDED
@@ -0,0 +1,9 @@
1
+ {
2
+ "extends": "../../../tsconfig.json",
3
+ "compilerOptions": {
4
+ "outDir": "./dist",
5
+ "rootDir": ".",
6
+ },
7
+ "include": ["index.ts", "implements/**/*.ts"],
8
+ "exclude": ["node_modules", "dist"]
9
+ }
package/tsup.config.ts ADDED
@@ -0,0 +1,9 @@
1
+ import { defineConfig } from 'tsup'
2
+
3
+ export default defineConfig({
4
+ entry: ['index.ts', 'implements/**/*.ts'],
5
+ format: ['cjs', 'esm'],
6
+ dts: true,
7
+ sourcemap: true,
8
+ clean: true,
9
+ })