@ainetwork/adk-provider-auth-google 0.3.0 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-HRHLJJ2F.js → chunk-AVLNEZZD.js} +1 -2
- package/dist/chunk-AVLNEZZD.js.map +1 -0
- package/dist/implements/google.auth.cjs +0 -1
- package/dist/implements/google.auth.cjs.map +1 -1
- package/dist/implements/google.auth.js +1 -1
- package/dist/index.cjs +0 -1
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +1 -1
- package/package.json +3 -3
- package/dist/chunk-HRHLJJ2F.js.map +0 -1
|
@@ -90,7 +90,6 @@ var GoogleAuth = class extends BaseAuth {
|
|
|
90
90
|
}
|
|
91
91
|
async authenticate(req, res) {
|
|
92
92
|
const token = this.extractBearerToken(req);
|
|
93
|
-
console.log(token);
|
|
94
93
|
if (!token) {
|
|
95
94
|
return { isAuthenticated: false };
|
|
96
95
|
}
|
|
@@ -144,4 +143,4 @@ var GoogleAuth = class extends BaseAuth {
|
|
|
144
143
|
export {
|
|
145
144
|
GoogleAuth
|
|
146
145
|
};
|
|
147
|
-
//# sourceMappingURL=chunk-
|
|
146
|
+
//# sourceMappingURL=chunk-AVLNEZZD.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../implements/google.auth.ts"],"sourcesContent":["import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";AAAA,SAAS,gBAAgB;AAGzB,OAAO,SAA4C;AACnD,OAAO,gBAAgB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,SAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,aAAa,WAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,UAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMA,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["payload"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../implements/google.auth.ts"],"sourcesContent":["import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n
|
|
1
|
+
{"version":3,"sources":["../../implements/google.auth.ts"],"sourcesContent":["import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAyB;AAGzB,0BAAmD;AACnD,sBAAuB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,wBAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,iBAAa,gBAAAA,SAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,0BAAAC,QAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,0BAAAA,QAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMC,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["jwksClient","jwt","payload"]}
|
package/dist/index.cjs
CHANGED
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../index.ts","../implements/google.auth.ts"],"sourcesContent":["export { GoogleAuth, type GoogleAuthConfig } from \"./implements/google.auth\";\n","import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n
|
|
1
|
+
{"version":3,"sources":["../index.ts","../implements/google.auth.ts"],"sourcesContent":["export { GoogleAuth, type GoogleAuthConfig } from \"./implements/google.auth\";\n","import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,qBAAyB;AAGzB,0BAAmD;AACnD,sBAAuB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,wBAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,iBAAa,gBAAAA,SAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,0BAAAC,QAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,0BAAAA,QAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMC,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["jwksClient","jwt","payload"]}
|
package/dist/index.js
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ainetwork/adk-provider-auth-google",
|
|
3
|
-
"version": "0.3.
|
|
3
|
+
"version": "0.3.2",
|
|
4
4
|
"author": "AI Network (https://ainetwork.ai)",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"engines": {
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
"clean": "rm -rf dist"
|
|
22
22
|
},
|
|
23
23
|
"dependencies": {
|
|
24
|
-
"@ainetwork/adk": "^0.3.
|
|
24
|
+
"@ainetwork/adk": "^0.3.2",
|
|
25
25
|
"jsonwebtoken": "^9.0.2",
|
|
26
26
|
"jwks-rsa": "^3.1.0"
|
|
27
27
|
},
|
|
@@ -34,5 +34,5 @@
|
|
|
34
34
|
"publishConfig": {
|
|
35
35
|
"access": "public"
|
|
36
36
|
},
|
|
37
|
-
"gitHead": "
|
|
37
|
+
"gitHead": "4bfa5afae29304e6cb5f106c7327f5f2092f6601"
|
|
38
38
|
}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"sources":["../implements/google.auth.ts"],"sourcesContent":["import { BaseAuth } from \"@ainetwork/adk/modules\";\nimport { AuthResponse } from \"@ainetwork/adk/types/auth\";\nimport type { Request } from \"express\";\nimport jwt, { JwtHeader, SigningKeyCallback } from \"jsonwebtoken\";\nimport jwksClient from \"jwks-rsa\";\n\nexport interface GoogleAuthConfig {\n clientId: string;\n nextAuthSecret?: string;\n}\n\ninterface GoogleTokenPayload {\n aud: string;\n iss: string;\n iat: number;\n exp: number;\n sub: string;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n azp?: string;\n}\n\ninterface GoogleTokenInfoResponse {\n azp: string;\n aud: string;\n sub: string;\n scope: string;\n exp: string;\n expires_in: string;\n email?: string;\n email_verified?: string;\n access_type?: string;\n error?: string;\n error_description?: string;\n}\n\ninterface NextAuthJWTPayload {\n name?: string;\n email?: string;\n picture?: string;\n sub: string;\n iat: number;\n exp: number;\n jti?: string;\n}\n\nconst GOOGLE_ISSUERS: [string, ...string[]] = [\n \"https://accounts.google.com\",\n \"accounts.google.com\",\n];\n\nexport class GoogleAuth extends BaseAuth {\n private readonly jwksClient: jwksClient.JwksClient;\n\n constructor(private readonly config: GoogleAuthConfig) {\n super();\n\n this.jwksClient = jwksClient({\n jwksUri: \"https://www.googleapis.com/oauth2/v3/certs\",\n cache: true,\n cacheMaxAge: 86400000, // 24 hours\n rateLimit: true,\n jwksRequestsPerMinute: 10,\n });\n }\n\n private getSigningKey = (header: JwtHeader, callback: SigningKeyCallback): void => {\n this.jwksClient.getSigningKey(header.kid, (err, key) => {\n if (err) {\n callback(err);\n return;\n }\n const signingKey = key?.getPublicKey();\n callback(null, signingKey);\n });\n };\n\n private verifyGoogleIdToken(token: string): Promise<GoogleTokenPayload> {\n return new Promise((resolve, reject) => {\n jwt.verify(\n token,\n this.getSigningKey,\n {\n algorithms: [\"RS256\"],\n audience: this.config.clientId,\n issuer: GOOGLE_ISSUERS,\n },\n (err: Error | null, decoded: unknown) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as GoogleTokenPayload);\n }\n );\n });\n }\n\n private async verifyGoogleAccessToken(token: string): Promise<GoogleTokenInfoResponse> {\n const response = await fetch(\n `https://oauth2.googleapis.com/tokeninfo?access_token=${encodeURIComponent(token)}`\n );\n\n const data = await response.json() as GoogleTokenInfoResponse;\n\n if (data.error) {\n throw new Error(data.error_description || data.error);\n }\n\n // Verify the token is for our client\n if (data.aud !== this.config.clientId && data.azp !== this.config.clientId) {\n throw new Error(\"Token was not issued for this client\");\n }\n\n return data;\n }\n\n private verifyNextAuthToken(token: string): Promise<NextAuthJWTPayload> {\n return new Promise((resolve, reject) => {\n if (!this.config.nextAuthSecret) {\n reject(new Error(\"NextAuth secret is required for NextAuth token verification\"));\n return;\n }\n\n jwt.verify(\n token,\n this.config.nextAuthSecret,\n {\n algorithms: [\"HS256\"],\n },\n (err, decoded) => {\n if (err) {\n reject(err);\n return;\n }\n resolve(decoded as NextAuthJWTPayload);\n }\n );\n });\n }\n\n private isGoogleAccessToken(token: string): boolean {\n return token.startsWith(\"ya29.\");\n }\n\n public async authenticate(req: any, res: any): Promise<AuthResponse> {\n const token = this.extractBearerToken(req);\n console.log(token);\n if (!token) {\n return { isAuthenticated: false };\n }\n\n try {\n // First, try to verify as NextAuth JWT token (signed with NEXTAUTH_SECRET)\n if (this.config.nextAuthSecret) {\n try {\n const payload = await this.verifyNextAuthToken(token);\n if (payload.sub) {\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n }\n } catch {\n // If NextAuth verification fails, try other methods\n }\n }\n\n // Check if it's a Google Access Token (starts with \"ya29.\")\n if (this.isGoogleAccessToken(token)) {\n const tokenInfo = await this.verifyGoogleAccessToken(token);\n if (tokenInfo.sub) {\n return {\n isAuthenticated: true,\n userId: tokenInfo.sub,\n };\n }\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n // Try to verify as Google ID token (JWT)\n const payload = await this.verifyGoogleIdToken(token);\n\n if (!payload.sub) {\n console.error(\"Google auth verification failed: Token does not contain sub claim\");\n return { isAuthenticated: false };\n }\n\n return {\n isAuthenticated: true,\n userId: payload.sub,\n };\n } catch (err) {\n console.error(\"Google auth verification failed:\", (err as Error).message);\n return { isAuthenticated: false };\n }\n }\n\n private extractBearerToken(req: Request): string | null {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n return null;\n }\n return authHeader.substring(7);\n }\n}\n"],"mappings":";AAAA,SAAS,gBAAgB;AAGzB,OAAO,SAA4C;AACnD,OAAO,gBAAgB;AA4CvB,IAAM,iBAAwC;AAAA,EAC5C;AAAA,EACA;AACF;AAEO,IAAM,aAAN,cAAyB,SAAS;AAAA,EAGvC,YAA6B,QAA0B;AACrD,UAAM;AADqB;AAG3B,SAAK,aAAa,WAAW;AAAA,MAC3B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAAA,EACH;AAAA,EAZiB;AAAA,EAcT,gBAAgB,CAAC,QAAmB,aAAuC;AACjF,SAAK,WAAW,cAAc,OAAO,KAAK,CAAC,KAAK,QAAQ;AACtD,UAAI,KAAK;AACP,iBAAS,GAAG;AACZ;AAAA,MACF;AACA,YAAM,aAAa,KAAK,aAAa;AACrC,eAAS,MAAM,UAAU;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,UACpB,UAAU,KAAK,OAAO;AAAA,UACtB,QAAQ;AAAA,QACV;AAAA,QACA,CAAC,KAAmB,YAAqB;AACvC,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,wBAAwB,OAAiD;AACrF,UAAM,WAAW,MAAM;AAAA,MACrB,wDAAwD,mBAAmB,KAAK,CAAC;AAAA,IACnF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,KAAK,OAAO;AACd,YAAM,IAAI,MAAM,KAAK,qBAAqB,KAAK,KAAK;AAAA,IACtD;AAGA,QAAI,KAAK,QAAQ,KAAK,OAAO,YAAY,KAAK,QAAQ,KAAK,OAAO,UAAU;AAC1E,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,OAA4C;AACtE,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI,CAAC,KAAK,OAAO,gBAAgB;AAC/B,eAAO,IAAI,MAAM,6DAA6D,CAAC;AAC/E;AAAA,MACF;AAEA,UAAI;AAAA,QACF;AAAA,QACA,KAAK,OAAO;AAAA,QACZ;AAAA,UACE,YAAY,CAAC,OAAO;AAAA,QACtB;AAAA,QACA,CAAC,KAAK,YAAY;AAChB,cAAI,KAAK;AACP,mBAAO,GAAG;AACV;AAAA,UACF;AACA,kBAAQ,OAA6B;AAAA,QACvC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,OAAwB;AAClD,WAAO,MAAM,WAAW,OAAO;AAAA,EACjC;AAAA,EAEA,MAAa,aAAa,KAAU,KAAiC;AACnE,UAAM,QAAQ,KAAK,mBAAmB,GAAG;AACzC,YAAQ,IAAI,KAAK;AACjB,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAEA,QAAI;AAEF,UAAI,KAAK,OAAO,gBAAgB;AAC9B,YAAI;AACF,gBAAMA,WAAU,MAAM,KAAK,oBAAoB,KAAK;AACpD,cAAIA,SAAQ,KAAK;AACf,mBAAO;AAAA,cACL,iBAAiB;AAAA,cACjB,QAAQA,SAAQ;AAAA,YAClB;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAGA,UAAI,KAAK,oBAAoB,KAAK,GAAG;AACnC,cAAM,YAAY,MAAM,KAAK,wBAAwB,KAAK;AAC1D,YAAI,UAAU,KAAK;AACjB,iBAAO;AAAA,YACL,iBAAiB;AAAA,YACjB,QAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AACA,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAGA,YAAM,UAAU,MAAM,KAAK,oBAAoB,KAAK;AAEpD,UAAI,CAAC,QAAQ,KAAK;AAChB,gBAAQ,MAAM,mEAAmE;AACjF,eAAO,EAAE,iBAAiB,MAAM;AAAA,MAClC;AAEA,aAAO;AAAA,QACL,iBAAiB;AAAA,QACjB,QAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,oCAAqC,IAAc,OAAO;AACxE,aAAO,EAAE,iBAAiB,MAAM;AAAA,IAClC;AAAA,EACF;AAAA,EAEQ,mBAAmB,KAA6B;AACtD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,aAAO;AAAA,IACT;AACA,WAAO,WAAW,UAAU,CAAC;AAAA,EAC/B;AACF;","names":["payload"]}
|