@arcblock/did-connect-service 4.0.4 → 4.0.6

package/dist/auth-client.js

@@ -1,42 +0,0 @@
-/**
- * Consumer-side helper for Auth Worker Service Binding.
- *
- * Usage:
- *   import { createAuthClient, getCookie } from '@arcblock/did-connect-cloudflare/client';
- *   const client = createAuthClient(env.AUTH);
- *   const caller = await client.verify(request);
- */
-/** Extract a named cookie value from a Request. */
-export function getCookie(request, name) {
-    const cookie = request.headers.get("Cookie");
-    if (!cookie)
-        return null;
-    const match = cookie.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
-    return match ? match[1] : null;
-}
-/** Create a typed client wrapper around an AuthRPC binding. */
-export function createAuthClient(binding) {
-    return {
-        async verify(request) {
-            const jwt = getCookie(request, "login_token");
-            return jwt ? binding.verify(jwt) : null;
-        },
-        async verifyFull(request) {
-            const jwt = getCookie(request, "login_token");
-            return jwt ? binding.verifyFull(jwt) : null;
-        },
-        async resolveIdentity(request, instanceDid) {
-            const jwt = getCookie(request, "login_token");
-            const authHeader = request.headers.get("Authorization");
-            return binding.resolveIdentity(jwt, authHeader, instanceDid);
-        },
-        /** Return a redirect-to-login or 401 response for unauthenticated requests. */
-        unauthorized(request) {
-            if (request.headers.get("Upgrade") === "websocket") {
-                return new Response(null, { status: 401 });
-            }
-            return Response.redirect(new URL("/.well-known/service/login", request.url).href);
-        },
-    };
-}
-//# sourceMappingURL=auth-client.js.map

package/dist/auth-client.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../src/auth-client.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,mDAAmD;AACnD,MAAM,UAAU,SAAS,CAAC,OAAgB,EAAE,IAAY;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IACrE,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAClC,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,gBAAgB,CAAC,OAAyB;IACxD,OAAO;QACL,KAAK,CAAC,MAAM,CAAC,OAAgB;YAC3B,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YAC9C,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1C,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,OAAgB;YAC/B,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YAC9C,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,eAAe,CACnB,OAAgB,EAChB,WAAoB;YAEpB,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YACxD,OAAO,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QAC/D,CAAC;QAED,+EAA+E;QAC/E,YAAY,CAAC,OAAgB;YAC3B,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,WAAW,EAAE,CAAC;gBACnD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,4BAA4B,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;QACpF,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth-entrypoint.d.ts

@@ -1,45 +0,0 @@
-/**
- * AuthEntrypoint — Master Worker RPC service for federated auth.
- *
- * In a Cloudflare Workers multi-site setup, the master worker exposes
- * this class via WorkerEntrypoint. Member workers call it via Service Bindings
- * for DID derivation (OAuth/Email) and wallet info (DID Connect delegation).
- *
- * Usage in master worker:
- *   import { WorkerEntrypoint } from "cloudflare:workers";
- *   export class AuthEntrypoint extends WorkerEntrypoint<Env> {
- *     deriveDID(sub: string) { return deriveDIDLocal(sub, this.env.APP_SK); }
- *     getWalletInfo() { return getWalletInfoLocal(this.env.APP_SK); }
- *   }
- *
- * This module provides the pure functions that the entrypoint methods delegate to.
- */
-/** Interface matching what AuthEntrypoint exposes via RPC. */
-export interface AuthEntrypointInterface {
-    deriveDID(sub: string): Promise<{
-        did: string;
-        pk: string;
-    }> | {
-        did: string;
-        pk: string;
-    };
-    getWalletInfo(): Promise<{
-        address: string;
-        pk: string;
-    }> | {
-        address: string;
-        pk: string;
-    };
-}
-/** Derive DID locally using the app's secret key. */
-export declare function deriveDIDLocal(sub: string, appSk: string): {
-    did: string;
-    pk: string;
-};
-/** Get the app wallet's public info (address, not DID — for WalletAuthenticator.delegator).
- *  When appPsk is provided, returns the permanent wallet info (for delegation). */
-export declare function getWalletInfoLocal(appSk: string, appPsk?: string): {
-    address: string;
-    pk: string;
-};
-//# sourceMappingURL=auth-entrypoint.d.ts.map

package/dist/auth-entrypoint.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-entrypoint.d.ts","sourceRoot":"","sources":["../src/auth-entrypoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,8DAA8D;AAC9D,MAAM,WAAW,uBAAuB;IACtC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3F,aAAa,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7F;AAED,qDAAqD;AACrD,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAGtF;AAED;mFACmF;AACnF,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAIlG"}

package/dist/auth-entrypoint.js

@@ -1,31 +0,0 @@
-/**
- * AuthEntrypoint — Master Worker RPC service for federated auth.
- *
- * In a Cloudflare Workers multi-site setup, the master worker exposes
- * this class via WorkerEntrypoint. Member workers call it via Service Bindings
- * for DID derivation (OAuth/Email) and wallet info (DID Connect delegation).
- *
- * Usage in master worker:
- *   import { WorkerEntrypoint } from "cloudflare:workers";
- *   export class AuthEntrypoint extends WorkerEntrypoint<Env> {
- *     deriveDID(sub: string) { return deriveDIDLocal(sub, this.env.APP_SK); }
- *     getWalletInfo() { return getWalletInfoLocal(this.env.APP_SK); }
- *   }
- *
- * This module provides the pure functions that the entrypoint methods delegate to.
- */
-import { fromAppDid } from "@arcblock/did-ext";
-import { fromSecretKey } from "@ocap/wallet";
-/** Derive DID locally using the app's secret key. */
-export function deriveDIDLocal(sub, appSk) {
-    const wallet = fromAppDid(sub, appSk);
-    return { did: wallet.address, pk: wallet.publicKey };
-}
-/** Get the app wallet's public info (address, not DID — for WalletAuthenticator.delegator).
- *  When appPsk is provided, returns the permanent wallet info (for delegation). */
-export function getWalletInfoLocal(appSk, appPsk) {
-    const sk = appPsk || appSk;
-    const wallet = fromSecretKey(sk);
-    return { address: wallet.address, pk: wallet.publicKey };
-}
-//# sourceMappingURL=auth-entrypoint.js.map

package/dist/auth-entrypoint.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-entrypoint.js","sourceRoot":"","sources":["../src/auth-entrypoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAQ7C,qDAAqD;AACrD,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,KAAa;IACvD,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;AACvD,CAAC;AAED;mFACmF;AACnF,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,MAAe;IAC/D,MAAM,EAAE,GAAG,MAAM,IAAI,KAAK,CAAC;IAC3B,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,CAAC,CAAC;IACjC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC;AAC3D,CAAC"}

package/dist/auth-handler.d.ts

@@ -1,136 +0,0 @@
-/**
- * AuthHandler — Unified auth entry point for Cloudflare Workers.
- *
- * Combines Auth (passkey) + TeamHandler into a single, easy-to-integrate handler.
- * Internally creates D1Store — callers never need to touch it.
- *
- * Usage:
- *   const auth = createAuthHandler({ db: env.BLOCKLET_SERVICE_DB, jwtSecret: env.JWT_SECRET, rpName: "My App" });
- *   const r = await auth.route(req);   // handles passkey/team/logout routes
- *   if (r) return r;
- *   const caller = await auth.verifyFull(req);  // auth gate
- *   if (!caller) return auth.unauthorized(req);
- */
-import type { AuthEntrypointInterface } from "./identity/auth-entrypoint.js";
-import type { CallerIdentity } from "./types.js";
-export interface AuthHandlerOptions {
-    /** D1 database binding. */
-    db: D1Database;
-    /** Secret used to sign/verify JWTs (HMAC-SHA256). */
-    jwtSecret: string;
-    /** Relying Party name shown in WebAuthn prompts. */
-    rpName: string;
-    /** Relying Party ID — defaults to hostname from request.
-     *  Use a string for static rpID (e.g. "example.com" for cross-subdomain passkeys),
-     *  or a function for dynamic resolution based on the request. */
-    rpID?: string | ((request: Request) => string);
-    /** JWT expiration in seconds (default: 7 days). */
-    jwtExpiresIn?: number;
-    /** Cookie name for the auth JWT (default: "login_token"). */
-    cookieName?: string;
-    /** KV namespace for DID Connect token storage. When provided with appSk, enables DID Wallet login. */
-    kv?: KVNamespace;
-    /** Application secret key for DID Connect wallet authentication. */
-    appSk?: string;
-    /** Application info shown to the wallet during DID Connect. */
-    appInfo?: {
-        name: string;
-        description?: string;
-        icon?: string;
-    };
-    /** Resend API key for email verification. Optional — can also be configured via Admin Settings (D1 email:config). */
-    resendApiKey?: string;
-    /** From address for verification emails. Optional — can also be configured via Admin Settings (D1 email:config). */
-    emailFrom?: string;
-    /** Service Binding to master Worker (federated mode). */
-    authMaster?: AuthEntrypointInterface;
-    /** Master site OAuth callback origin (federated mode). */
-    masterOAuthOrigin?: string;
-    /** Explicit app DID, otherwise derived from appSk. */
-    appDid?: string;
-    /** Server version reported in __blocklet__.js (default: '1.0.0'). */
-    serverVersion?: string;
-    /** Permanent secret key (PSK) — first SK before rotation.
-     *  When set and different from appSk, enables DID Connect delegation
-     *  and correct appPid in __blocklet__.js. */
-    appPsk?: string;
-    /** R2 bucket for logo/media storage. */
-    r2?: R2Bucket;
-}
-/** Membership record from the memberships table. */
-export interface StoredMembership {
-    user_did: string;
-    instance_did: string;
-    role: string;
-    invited_by: string | null;
-    joined_at: string;
-}
-/** Rule with inlined policy data for access evaluation. */
-export interface RuleWithPolicyForInstance {
-    id: string;
-    pathPattern: string;
-    priority: number;
-    roles: string | null;
-    reverse: number;
-    enabled: number;
-}
-export interface AuthHandler {
-    /**
-     * Handle auth-related routes: passkey API, team API, admin/invite pages, logout.
-     * Returns a Response if the route matched, or null to let the caller continue.
-     * @param context Optional instance context — instanceDid is passed to team/access key handlers.
-     */
-    route(request: Request, context?: {
-        instanceDid?: string;
-    }): Promise<Response | null>;
-    /** Verify JWT from cookie — lightweight, no DB query. */
-    verify(request: Request): Promise<CallerIdentity | null>;
-    /** Full verification: JWT + DB user existence + approval check. */
-    verifyFull(request: Request): Promise<CallerIdentity | null>;
-    /** Return the login page HTML response. */
-    loginPage(): Promise<Response>;
-    /**
-     * Return an appropriate unauthorized response:
-     * - WebSocket upgrade requests → 401
-     * - Normal HTTP requests → login page
-     */
-    unauthorized(request: Request): Promise<Response>;
-    /**
-     * Resolve caller identity from request (access key or JWT), without enforcing access.
-     * Returns the identity if found, null otherwise.
-     * @param context Optional instance context for access key instance validation.
-     */
-    resolveIdentity(request: Request, context?: {
-        instanceDid?: string;
-    }): Promise<CallerIdentity | null>;
-    /**
-     * Enforce access policy for a request path.
-     * Evaluates rules from D1, checks caller identity + role + blocked status.
-     *
-     * When `opts.caller` is provided, uses it instead of resolving from the request.
-     * This enables the authenticate → resolve blocklet → authorize pipeline.
-     */
-    enforceAccess(request: Request, opts?: {
-        caller?: CallerIdentity | null;
-    }): Promise<{
-        response: Response;
-    } | {
-        caller: CallerIdentity | null;
-    }>;
-    /**
-     * Get membership record for a user in an instance (D16).
-     * Returns null if no membership exists.
-     */
-    getMembership(userDid: string, instanceDid: string): Promise<StoredMembership | null>;
-    /**
-     * Get active security rules for an instance, merged with global rules (D16).
-     * Instance-specific rules take priority over global rules.
-     */
-    getActiveRulesForInstance(instanceDid: string): Promise<RuleWithPolicyForInstance[]>;
-    /**
-     * Seed a default security rule for a newly launched instance (Phase 3).
-     */
-    seedInstanceDefaults(instanceDid: string): Promise<void>;
-}
-export declare function createAuthHandler(options: AuthHandlerOptions): AuthHandler;
-//# sourceMappingURL=auth-handler.d.ts.map

package/dist/auth-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAU7E,OAAO,KAAK,EAAE,cAAc,EAAQ,MAAM,YAAY,CAAC;AAEvD,MAAM,WAAW,kBAAkB;IACjC,2BAA2B;IAC3B,EAAE,EAAE,UAAU,CAAC;IACf,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf;;qEAEiE;IACjE,IAAI,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC,CAAC;IAC/C,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;IAGpB,sGAAsG;IACtG,EAAE,CAAC,EAAE,WAAW,CAAC;IACjB,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+DAA+D;IAC/D,OAAO,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAGhE,qHAAqH;IACrH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oHAAoH;IACpH,SAAS,CAAC,EAAE,MAAM,CAAC;IAGnB,yDAAyD;IACzD,UAAU,CAAC,EAAE,uBAAuB,CAAC;IACrC,0DAA0D;IAC1D,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAG3B,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,aAAa,CAAC,EAAE,MAAM,CAAC;IAGvB;;iDAE6C;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAGhB,wCAAwC;IACxC,EAAE,CAAC,EAAE,QAAQ,CAAC;CACf;AAED,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,2DAA2D;AAC3D,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAEtF,yDAAyD;IACzD,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAEzD,mEAAmE;IACnE,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAE7D,2CAA2C;IAC3C,SAAS,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE/B;;;;OAIG;IACH,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAElD;;;;OAIG;IACH,eAAe,CACb,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GACjC,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAElC;;;;;;OAMG;IACH,aAAa,CACX,OAAO,EAAE,OAAO,EAChB,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,CAAA;KAAE,GACxC,OAAO,CAAC;QAAE,QAAQ,EAAE,QAAQ,CAAA;KAAE,GAAG;QAAE,MAAM,EAAE,cAAc,GAAG,IAAI,CAAA;KAAE,CAAC,CAAC;IAEvE;;;OAGG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IAEtF;;;OAGG;IACH,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,CAAC,CAAC;IAErF;;OAEG;IACH,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1D;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW,CA4a1E"}