@assemble-dev/shared-utils 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +93 -0
- package/dist/api-keys/index.cjs +90 -0
- package/dist/api-keys/index.d.cts +15 -0
- package/dist/api-keys/index.d.ts +15 -0
- package/dist/api-keys/index.js +46 -0
- package/dist/app-error-D7pnDUHg.d.cts +11 -0
- package/dist/app-error-D7pnDUHg.d.ts +11 -0
- package/dist/auth/index.cjs +202 -0
- package/dist/auth/index.d.cts +66 -0
- package/dist/auth/index.d.ts +66 -0
- package/dist/auth/index.js +155 -0
- package/dist/chunk-7TK7K2QQ.js +59 -0
- package/dist/chunk-CP7QDN2K.js +19 -0
- package/dist/chunk-HOZLAE6A.js +22 -0
- package/dist/chunk-OW6VCN32.js +17 -0
- package/dist/chunk-XDYQIW3Q.js +191 -0
- package/dist/errors/index.cjs +66 -0
- package/dist/errors/index.d.cts +6 -0
- package/dist/errors/index.d.ts +6 -0
- package/dist/errors/index.js +10 -0
- package/dist/ids/index.cjs +93 -0
- package/dist/ids/index.d.cts +13 -0
- package/dist/ids/index.d.ts +13 -0
- package/dist/ids/index.js +22 -0
- package/dist/index.cjs +388 -0
- package/dist/index.d.cts +18 -0
- package/dist/index.d.ts +18 -0
- package/dist/index.js +102 -0
- package/dist/provider-keys/index.cjs +46 -0
- package/dist/provider-keys/index.d.cts +6 -0
- package/dist/provider-keys/index.d.ts +6 -0
- package/dist/provider-keys/index.js +12 -0
- package/dist/redaction/index.cjs +230 -0
- package/dist/redaction/index.d.cts +55 -0
- package/dist/redaction/index.d.ts +55 -0
- package/dist/redaction/index.js +32 -0
- package/package.json +78 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
Elastic License 2.0
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Assemble (github.com/smundhra-git/assemble)
|
|
4
|
+
|
|
5
|
+
## Acceptance
|
|
6
|
+
|
|
7
|
+
By using the software, you agree to all of the terms and conditions below.
|
|
8
|
+
|
|
9
|
+
## Copyright License
|
|
10
|
+
|
|
11
|
+
The licensor grants you a non-exclusive, royalty-free, worldwide,
|
|
12
|
+
non-sublicensable, non-transferable license to use, copy, distribute, make
|
|
13
|
+
available, and prepare derivative works of the software, in each case subject
|
|
14
|
+
to the limitations and conditions below.
|
|
15
|
+
|
|
16
|
+
## Limitations
|
|
17
|
+
|
|
18
|
+
You may not provide the software to third parties as a hosted or managed
|
|
19
|
+
service, where the service provides users with access to any substantial set of
|
|
20
|
+
the features or functionality of the software.
|
|
21
|
+
|
|
22
|
+
You may not move, change, disable, or circumvent the license key functionality
|
|
23
|
+
in the software, and you may not remove or obscure any functionality in the
|
|
24
|
+
software that is protected by the license key.
|
|
25
|
+
|
|
26
|
+
You may not alter, remove, or obscure any licensing, copyright, or other
|
|
27
|
+
notices of the licensor in the software. Any use of the licensor's trademarks
|
|
28
|
+
is subject to applicable law.
|
|
29
|
+
|
|
30
|
+
## Patents
|
|
31
|
+
|
|
32
|
+
The licensor grants you a license, under any patent claims the licensor can
|
|
33
|
+
license, or becomes able to license, to make, have made, use, sell, offer for
|
|
34
|
+
sale, import and have imported the software, in each case subject to the
|
|
35
|
+
limitations and conditions in this license. This license does not cover any
|
|
36
|
+
patent claims that you cause to be infringed by modifications or additions to
|
|
37
|
+
the software. If you or your company make any written claim that the software
|
|
38
|
+
infringes or contributes to infringement of any patent, your patent license for
|
|
39
|
+
the software granted under these terms ends immediately. If your company makes
|
|
40
|
+
such a claim, your patent license ends immediately for work on behalf of your
|
|
41
|
+
company.
|
|
42
|
+
|
|
43
|
+
## Notices
|
|
44
|
+
|
|
45
|
+
You must ensure that anyone who gets a copy of any part of the software from
|
|
46
|
+
you also gets a copy of these terms.
|
|
47
|
+
|
|
48
|
+
If you modify the software, you must include in any modified copies of the
|
|
49
|
+
software prominent notices stating that you have modified the software.
|
|
50
|
+
|
|
51
|
+
## No Other Rights
|
|
52
|
+
|
|
53
|
+
These terms do not imply any licenses other than those expressly granted in
|
|
54
|
+
these terms.
|
|
55
|
+
|
|
56
|
+
## Termination
|
|
57
|
+
|
|
58
|
+
If you use the software in violation of these terms, such use is not licensed,
|
|
59
|
+
and your licenses will automatically terminate. If the licensor provides you
|
|
60
|
+
with a notice of your violation, and you cease all violation of this license no
|
|
61
|
+
later than 30 days after you receive that notice, your licenses will be
|
|
62
|
+
reinstated retroactively. However, if you violate these terms after such
|
|
63
|
+
reinstatement, any additional violation of these terms will cause your licenses
|
|
64
|
+
to terminate automatically and permanently.
|
|
65
|
+
|
|
66
|
+
## No Liability
|
|
67
|
+
|
|
68
|
+
*As far as the law allows, the software comes as is, without any warranty or
|
|
69
|
+
condition, and the licensor will not be liable to you for any damages arising
|
|
70
|
+
out of these terms or the use or nature of the software, under any kind of
|
|
71
|
+
legal claim.*
|
|
72
|
+
|
|
73
|
+
## Definitions
|
|
74
|
+
|
|
75
|
+
The **licensor** is the entity offering these terms, and the **software** is
|
|
76
|
+
the software the licensor makes available under these terms, including any
|
|
77
|
+
portion of it.
|
|
78
|
+
|
|
79
|
+
**you** refers to the individual or entity agreeing to these terms.
|
|
80
|
+
|
|
81
|
+
**your company** is any legal entity, sole proprietorship, or other kind of
|
|
82
|
+
organization that you work for, plus all organizations that have control over,
|
|
83
|
+
are under the control of, or are under common control with that organization.
|
|
84
|
+
**control** means ownership of substantially all the assets of an entity, or
|
|
85
|
+
the power to direct its management and policies by vote, contract, or
|
|
86
|
+
otherwise. Control can be direct or indirect.
|
|
87
|
+
|
|
88
|
+
**your licenses** are all the licenses granted to you for the software under
|
|
89
|
+
these terms.
|
|
90
|
+
|
|
91
|
+
**use** means anything you do with the software requiring one of your licenses.
|
|
92
|
+
|
|
93
|
+
**trademark** means trademarks, service marks, and similar rights.
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/api-keys/index.ts
|
|
21
|
+
var api_keys_exports = {};
|
|
22
|
+
__export(api_keys_exports, {
|
|
23
|
+
INVALID_API_KEY_MESSAGE: () => INVALID_API_KEY_MESSAGE,
|
|
24
|
+
createInvalidApiKeyError: () => createInvalidApiKeyError,
|
|
25
|
+
hashApiKeySecret: () => hashApiKeySecret,
|
|
26
|
+
parseRawApiKey: () => parseRawApiKey
|
|
27
|
+
});
|
|
28
|
+
module.exports = __toCommonJS(api_keys_exports);
|
|
29
|
+
|
|
30
|
+
// src/api-keys/hash-api-key-secret.ts
|
|
31
|
+
var import_node_crypto = require("node:crypto");
|
|
32
|
+
function hashApiKeySecret(secret) {
|
|
33
|
+
return (0, import_node_crypto.createHash)("sha256").update(secret).digest("hex");
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
// src/api-keys/parse-raw-api-key.ts
|
|
37
|
+
var import_shared_types = require("@assemble-dev/shared-types");
|
|
38
|
+
|
|
39
|
+
// src/errors/app-error.ts
|
|
40
|
+
var AppError = class extends Error {
|
|
41
|
+
code;
|
|
42
|
+
statusCode;
|
|
43
|
+
details;
|
|
44
|
+
cause;
|
|
45
|
+
constructor(input) {
|
|
46
|
+
super(input.message);
|
|
47
|
+
this.name = "AppError";
|
|
48
|
+
this.code = input.code;
|
|
49
|
+
this.statusCode = input.statusCode;
|
|
50
|
+
this.details = input.details;
|
|
51
|
+
this.cause = input.cause;
|
|
52
|
+
}
|
|
53
|
+
};
|
|
54
|
+
|
|
55
|
+
// src/api-keys/parse-raw-api-key.ts
|
|
56
|
+
var INVALID_API_KEY_MESSAGE = "invalid API key";
|
|
57
|
+
var KEY_ID_PREFIX = "key_";
|
|
58
|
+
var KEY_ID_BODY_HEX_LENGTH = 32;
|
|
59
|
+
var SECRET_HEX_LENGTH = 64;
|
|
60
|
+
var rawApiKeyPattern = new RegExp(
|
|
61
|
+
`^asm_(dev|prod|ci)_([0-9a-f]{${KEY_ID_BODY_HEX_LENGTH}})_([0-9a-f]{${SECRET_HEX_LENGTH}})$`
|
|
62
|
+
);
|
|
63
|
+
function createInvalidApiKeyError() {
|
|
64
|
+
return new AppError({
|
|
65
|
+
code: import_shared_types.AppErrorCode.Unauthorized,
|
|
66
|
+
message: INVALID_API_KEY_MESSAGE,
|
|
67
|
+
statusCode: 401
|
|
68
|
+
});
|
|
69
|
+
}
|
|
70
|
+
function parseRawApiKey(rawKey) {
|
|
71
|
+
const match = rawApiKeyPattern.exec(rawKey);
|
|
72
|
+
if (match === null) {
|
|
73
|
+
throw createInvalidApiKeyError();
|
|
74
|
+
}
|
|
75
|
+
const environment = match[1];
|
|
76
|
+
const keyIdBody = match[2];
|
|
77
|
+
const secret = match[3];
|
|
78
|
+
return {
|
|
79
|
+
environment,
|
|
80
|
+
keyId: `${KEY_ID_PREFIX}${keyIdBody}`,
|
|
81
|
+
secret
|
|
82
|
+
};
|
|
83
|
+
}
|
|
84
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
85
|
+
0 && (module.exports = {
|
|
86
|
+
INVALID_API_KEY_MESSAGE,
|
|
87
|
+
createInvalidApiKeyError,
|
|
88
|
+
hashApiKeySecret,
|
|
89
|
+
parseRawApiKey
|
|
90
|
+
});
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import { ApiKeyEnvironment } from '@assemble-dev/shared-types';
|
|
2
|
+
import { A as AppError } from '../app-error-D7pnDUHg.cjs';
|
|
3
|
+
|
|
4
|
+
declare function hashApiKeySecret(secret: string): string;
|
|
5
|
+
|
|
6
|
+
type ParsedRawApiKey = {
|
|
7
|
+
environment: ApiKeyEnvironment;
|
|
8
|
+
keyId: string;
|
|
9
|
+
secret: string;
|
|
10
|
+
};
|
|
11
|
+
declare const INVALID_API_KEY_MESSAGE = "invalid API key";
|
|
12
|
+
declare function createInvalidApiKeyError(): AppError;
|
|
13
|
+
declare function parseRawApiKey(rawKey: string): ParsedRawApiKey;
|
|
14
|
+
|
|
15
|
+
export { INVALID_API_KEY_MESSAGE, type ParsedRawApiKey, createInvalidApiKeyError, hashApiKeySecret, parseRawApiKey };
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import { ApiKeyEnvironment } from '@assemble-dev/shared-types';
|
|
2
|
+
import { A as AppError } from '../app-error-D7pnDUHg.js';
|
|
3
|
+
|
|
4
|
+
declare function hashApiKeySecret(secret: string): string;
|
|
5
|
+
|
|
6
|
+
type ParsedRawApiKey = {
|
|
7
|
+
environment: ApiKeyEnvironment;
|
|
8
|
+
keyId: string;
|
|
9
|
+
secret: string;
|
|
10
|
+
};
|
|
11
|
+
declare const INVALID_API_KEY_MESSAGE = "invalid API key";
|
|
12
|
+
declare function createInvalidApiKeyError(): AppError;
|
|
13
|
+
declare function parseRawApiKey(rawKey: string): ParsedRawApiKey;
|
|
14
|
+
|
|
15
|
+
export { INVALID_API_KEY_MESSAGE, type ParsedRawApiKey, createInvalidApiKeyError, hashApiKeySecret, parseRawApiKey };
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import {
|
|
2
|
+
AppError
|
|
3
|
+
} from "../chunk-CP7QDN2K.js";
|
|
4
|
+
|
|
5
|
+
// src/api-keys/hash-api-key-secret.ts
|
|
6
|
+
import { createHash } from "node:crypto";
|
|
7
|
+
function hashApiKeySecret(secret) {
|
|
8
|
+
return createHash("sha256").update(secret).digest("hex");
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
// src/api-keys/parse-raw-api-key.ts
|
|
12
|
+
import { AppErrorCode } from "@assemble-dev/shared-types";
|
|
13
|
+
var INVALID_API_KEY_MESSAGE = "invalid API key";
|
|
14
|
+
var KEY_ID_PREFIX = "key_";
|
|
15
|
+
var KEY_ID_BODY_HEX_LENGTH = 32;
|
|
16
|
+
var SECRET_HEX_LENGTH = 64;
|
|
17
|
+
var rawApiKeyPattern = new RegExp(
|
|
18
|
+
`^asm_(dev|prod|ci)_([0-9a-f]{${KEY_ID_BODY_HEX_LENGTH}})_([0-9a-f]{${SECRET_HEX_LENGTH}})$`
|
|
19
|
+
);
|
|
20
|
+
function createInvalidApiKeyError() {
|
|
21
|
+
return new AppError({
|
|
22
|
+
code: AppErrorCode.Unauthorized,
|
|
23
|
+
message: INVALID_API_KEY_MESSAGE,
|
|
24
|
+
statusCode: 401
|
|
25
|
+
});
|
|
26
|
+
}
|
|
27
|
+
function parseRawApiKey(rawKey) {
|
|
28
|
+
const match = rawApiKeyPattern.exec(rawKey);
|
|
29
|
+
if (match === null) {
|
|
30
|
+
throw createInvalidApiKeyError();
|
|
31
|
+
}
|
|
32
|
+
const environment = match[1];
|
|
33
|
+
const keyIdBody = match[2];
|
|
34
|
+
const secret = match[3];
|
|
35
|
+
return {
|
|
36
|
+
environment,
|
|
37
|
+
keyId: `${KEY_ID_PREFIX}${keyIdBody}`,
|
|
38
|
+
secret
|
|
39
|
+
};
|
|
40
|
+
}
|
|
41
|
+
export {
|
|
42
|
+
INVALID_API_KEY_MESSAGE,
|
|
43
|
+
createInvalidApiKeyError,
|
|
44
|
+
hashApiKeySecret,
|
|
45
|
+
parseRawApiKey
|
|
46
|
+
};
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { AppErrorCode, AppErrorDetails, AppErrorInput } from '@assemble-dev/shared-types';
|
|
2
|
+
|
|
3
|
+
declare class AppError extends Error {
|
|
4
|
+
readonly code: AppErrorCode;
|
|
5
|
+
readonly statusCode: number;
|
|
6
|
+
readonly details?: AppErrorDetails;
|
|
7
|
+
readonly cause?: Error;
|
|
8
|
+
constructor(input: AppErrorInput);
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
export { AppError as A };
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { AppErrorCode, AppErrorDetails, AppErrorInput } from '@assemble-dev/shared-types';
|
|
2
|
+
|
|
3
|
+
declare class AppError extends Error {
|
|
4
|
+
readonly code: AppErrorCode;
|
|
5
|
+
readonly statusCode: number;
|
|
6
|
+
readonly details?: AppErrorDetails;
|
|
7
|
+
readonly cause?: Error;
|
|
8
|
+
constructor(input: AppErrorInput);
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
export { AppError as A };
|
|
@@ -0,0 +1,202 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/auth/index.ts
|
|
21
|
+
var auth_exports = {};
|
|
22
|
+
__export(auth_exports, {
|
|
23
|
+
SUPABASE_AUTHENTICATED_AUDIENCE: () => SUPABASE_AUTHENTICATED_AUDIENCE,
|
|
24
|
+
SupabaseJwtClaimsSchema: () => SupabaseJwtClaimsSchema,
|
|
25
|
+
assertNotTestCredentialInProduction: () => assertNotTestCredentialInProduction,
|
|
26
|
+
buildAuthSubjectFromClaims: () => buildAuthSubjectFromClaims,
|
|
27
|
+
computeCredentialFingerprint: () => computeCredentialFingerprint,
|
|
28
|
+
createAuthMiddleware: () => createAuthMiddleware,
|
|
29
|
+
createSupabaseLocalKeySet: () => createSupabaseLocalKeySet,
|
|
30
|
+
createSupabaseRemoteKeySet: () => createSupabaseRemoteKeySet,
|
|
31
|
+
verifySupabaseJwt: () => verifySupabaseJwt
|
|
32
|
+
});
|
|
33
|
+
module.exports = __toCommonJS(auth_exports);
|
|
34
|
+
|
|
35
|
+
// src/auth/create-auth-middleware.ts
|
|
36
|
+
var import_shared_types2 = require("@assemble-dev/shared-types");
|
|
37
|
+
|
|
38
|
+
// src/errors/app-error.ts
|
|
39
|
+
var AppError = class extends Error {
|
|
40
|
+
code;
|
|
41
|
+
statusCode;
|
|
42
|
+
details;
|
|
43
|
+
cause;
|
|
44
|
+
constructor(input) {
|
|
45
|
+
super(input.message);
|
|
46
|
+
this.name = "AppError";
|
|
47
|
+
this.code = input.code;
|
|
48
|
+
this.statusCode = input.statusCode;
|
|
49
|
+
this.details = input.details;
|
|
50
|
+
this.cause = input.cause;
|
|
51
|
+
}
|
|
52
|
+
};
|
|
53
|
+
|
|
54
|
+
// src/auth/verify-supabase-jwt.ts
|
|
55
|
+
var import_shared_types = require("@assemble-dev/shared-types");
|
|
56
|
+
var import_jose = require("jose");
|
|
57
|
+
var import_zod = require("zod");
|
|
58
|
+
var SUPABASE_AUTHENTICATED_AUDIENCE = "authenticated";
|
|
59
|
+
var SupabaseJwtUserMetadataSchema = import_zod.z.object({
|
|
60
|
+
name: import_zod.z.string().optional(),
|
|
61
|
+
full_name: import_zod.z.string().optional()
|
|
62
|
+
});
|
|
63
|
+
var SupabaseJwtClaimsSchema = import_zod.z.object({
|
|
64
|
+
sub: import_zod.z.string().min(1),
|
|
65
|
+
exp: import_zod.z.number().int().positive(),
|
|
66
|
+
iss: import_zod.z.string().min(1),
|
|
67
|
+
aud: import_zod.z.union([import_zod.z.string(), import_zod.z.array(import_zod.z.string())]),
|
|
68
|
+
email: import_zod.z.string().email().optional(),
|
|
69
|
+
user_metadata: SupabaseJwtUserMetadataSchema.optional()
|
|
70
|
+
});
|
|
71
|
+
function createSupabaseRemoteKeySet(jwksUrl) {
|
|
72
|
+
return (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
|
|
73
|
+
}
|
|
74
|
+
function createSupabaseLocalKeySet(jwks) {
|
|
75
|
+
return (0, import_jose.createLocalJWKSet)(jwks);
|
|
76
|
+
}
|
|
77
|
+
function createUnauthorizedError(message) {
|
|
78
|
+
return new AppError({
|
|
79
|
+
code: import_shared_types.AppErrorCode.Unauthorized,
|
|
80
|
+
message,
|
|
81
|
+
statusCode: 401
|
|
82
|
+
});
|
|
83
|
+
}
|
|
84
|
+
async function verifySignedTokenPayload(input) {
|
|
85
|
+
try {
|
|
86
|
+
const verification = await (0, import_jose.jwtVerify)(input.token, input.keySet, {
|
|
87
|
+
issuer: input.issuer,
|
|
88
|
+
audience: input.audience ?? SUPABASE_AUTHENTICATED_AUDIENCE,
|
|
89
|
+
algorithms: ["ES256", "RS256"],
|
|
90
|
+
currentDate: input.now === void 0 ? void 0 : new Date(input.now)
|
|
91
|
+
});
|
|
92
|
+
const parsedClaims = SupabaseJwtClaimsSchema.safeParse(verification.payload);
|
|
93
|
+
if (!parsedClaims.success) {
|
|
94
|
+
throw createUnauthorizedError("Invalid authentication token claims");
|
|
95
|
+
}
|
|
96
|
+
return parsedClaims.data;
|
|
97
|
+
} catch (error) {
|
|
98
|
+
if (error instanceof AppError) {
|
|
99
|
+
throw error;
|
|
100
|
+
}
|
|
101
|
+
throw createUnauthorizedError("Invalid authentication token");
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
function ensureAudienceIsAuthenticated(claims, expectedAudience) {
|
|
105
|
+
const audiences = Array.isArray(claims.aud) ? claims.aud : [claims.aud];
|
|
106
|
+
if (!audiences.includes(expectedAudience)) {
|
|
107
|
+
throw createUnauthorizedError("Authentication token audience is not trusted");
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
async function verifySupabaseJwt(input) {
|
|
111
|
+
const claims = await verifySignedTokenPayload(input);
|
|
112
|
+
ensureAudienceIsAuthenticated(
|
|
113
|
+
claims,
|
|
114
|
+
input.audience ?? SUPABASE_AUTHENTICATED_AUDIENCE
|
|
115
|
+
);
|
|
116
|
+
return claims;
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
// src/auth/create-auth-middleware.ts
|
|
120
|
+
function createUnauthorizedError2(message) {
|
|
121
|
+
return new AppError({
|
|
122
|
+
code: import_shared_types2.AppErrorCode.Unauthorized,
|
|
123
|
+
message,
|
|
124
|
+
statusCode: 401
|
|
125
|
+
});
|
|
126
|
+
}
|
|
127
|
+
function extractBearerToken(headerValue) {
|
|
128
|
+
if (headerValue === void 0) {
|
|
129
|
+
throw createUnauthorizedError2("Missing Authorization header");
|
|
130
|
+
}
|
|
131
|
+
const bearerPrefix = "Bearer ";
|
|
132
|
+
if (!headerValue.startsWith(bearerPrefix)) {
|
|
133
|
+
throw createUnauthorizedError2("Invalid Authorization header");
|
|
134
|
+
}
|
|
135
|
+
const token = headerValue.slice(bearerPrefix.length).trim();
|
|
136
|
+
if (token.length === 0) {
|
|
137
|
+
throw createUnauthorizedError2("Missing bearer token");
|
|
138
|
+
}
|
|
139
|
+
return token;
|
|
140
|
+
}
|
|
141
|
+
function buildAuthSubjectFromClaims(claims) {
|
|
142
|
+
if (claims.email === void 0) {
|
|
143
|
+
throw createUnauthorizedError2("Authentication token is missing an email");
|
|
144
|
+
}
|
|
145
|
+
return {
|
|
146
|
+
id: claims.sub,
|
|
147
|
+
email: claims.email,
|
|
148
|
+
name: claims.user_metadata?.name ?? claims.user_metadata?.full_name ?? null
|
|
149
|
+
};
|
|
150
|
+
}
|
|
151
|
+
function createAuthMiddleware(config) {
|
|
152
|
+
return async (c, next) => {
|
|
153
|
+
const token = extractBearerToken(c.req.header("authorization"));
|
|
154
|
+
const claims = await verifySupabaseJwt({
|
|
155
|
+
token,
|
|
156
|
+
keySet: config.keySet,
|
|
157
|
+
issuer: config.issuer,
|
|
158
|
+
audience: config.audience
|
|
159
|
+
});
|
|
160
|
+
const subject = buildAuthSubjectFromClaims(claims);
|
|
161
|
+
const user = await config.resolveAuthUser(subject);
|
|
162
|
+
c.set("auth", { userId: user.id, authSubjectId: claims.sub });
|
|
163
|
+
await next();
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
// src/auth/known-test-credentials.ts
|
|
168
|
+
var import_node_crypto = require("node:crypto");
|
|
169
|
+
var import_shared_types3 = require("@assemble-dev/shared-types");
|
|
170
|
+
var KNOWN_TEST_CREDENTIAL_FINGERPRINTS = [
|
|
171
|
+
"56e17db07a352344ec8f8d91b98d65ee78213181872b8a66e41087442bb33f5b",
|
|
172
|
+
"39377069fcfbfbe509b540b9005998930d1d847a86776b560998a5cf958ba4d6"
|
|
173
|
+
];
|
|
174
|
+
function computeCredentialFingerprint(value) {
|
|
175
|
+
return (0, import_node_crypto.createHash)("sha256").update(value.trim()).digest("hex");
|
|
176
|
+
}
|
|
177
|
+
function assertNotTestCredentialInProduction(input) {
|
|
178
|
+
if (input.nodeEnv !== "production") {
|
|
179
|
+
return;
|
|
180
|
+
}
|
|
181
|
+
const fingerprint = computeCredentialFingerprint(input.value);
|
|
182
|
+
if (KNOWN_TEST_CREDENTIAL_FINGERPRINTS.includes(fingerprint)) {
|
|
183
|
+
throw new AppError({
|
|
184
|
+
code: import_shared_types3.AppErrorCode.InternalServerError,
|
|
185
|
+
message: `${input.label} is set to a committed test credential and must be replaced with a real production value`,
|
|
186
|
+
statusCode: 500,
|
|
187
|
+
details: { label: input.label }
|
|
188
|
+
});
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
192
|
+
0 && (module.exports = {
|
|
193
|
+
SUPABASE_AUTHENTICATED_AUDIENCE,
|
|
194
|
+
SupabaseJwtClaimsSchema,
|
|
195
|
+
assertNotTestCredentialInProduction,
|
|
196
|
+
buildAuthSubjectFromClaims,
|
|
197
|
+
computeCredentialFingerprint,
|
|
198
|
+
createAuthMiddleware,
|
|
199
|
+
createSupabaseLocalKeySet,
|
|
200
|
+
createSupabaseRemoteKeySet,
|
|
201
|
+
verifySupabaseJwt
|
|
202
|
+
});
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
import { MiddlewareHandler } from 'hono';
|
|
2
|
+
import { JWTVerifyGetKey, JSONWebKeySet } from 'jose';
|
|
3
|
+
import { z } from 'zod';
|
|
4
|
+
|
|
5
|
+
declare const SUPABASE_AUTHENTICATED_AUDIENCE = "authenticated";
|
|
6
|
+
declare const SupabaseJwtClaimsSchema: z.ZodObject<{
|
|
7
|
+
sub: z.ZodString;
|
|
8
|
+
exp: z.ZodNumber;
|
|
9
|
+
iss: z.ZodString;
|
|
10
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
11
|
+
email: z.ZodOptional<z.ZodString>;
|
|
12
|
+
user_metadata: z.ZodOptional<z.ZodObject<{
|
|
13
|
+
name: z.ZodOptional<z.ZodString>;
|
|
14
|
+
full_name: z.ZodOptional<z.ZodString>;
|
|
15
|
+
}, z.core.$strip>>;
|
|
16
|
+
}, z.core.$strip>;
|
|
17
|
+
type SupabaseJwtClaims = z.infer<typeof SupabaseJwtClaimsSchema>;
|
|
18
|
+
type SupabaseJwtKeySet = JWTVerifyGetKey;
|
|
19
|
+
type SupabaseJwks = JSONWebKeySet;
|
|
20
|
+
type VerifySupabaseJwtInput = {
|
|
21
|
+
token: string;
|
|
22
|
+
keySet: SupabaseJwtKeySet;
|
|
23
|
+
issuer: string;
|
|
24
|
+
audience?: string;
|
|
25
|
+
now?: number;
|
|
26
|
+
};
|
|
27
|
+
declare function createSupabaseRemoteKeySet(jwksUrl: string): SupabaseJwtKeySet;
|
|
28
|
+
declare function createSupabaseLocalKeySet(jwks: SupabaseJwks): SupabaseJwtKeySet;
|
|
29
|
+
declare function verifySupabaseJwt(input: VerifySupabaseJwtInput): Promise<SupabaseJwtClaims>;
|
|
30
|
+
|
|
31
|
+
type AuthContext = {
|
|
32
|
+
userId: string;
|
|
33
|
+
authSubjectId: string;
|
|
34
|
+
};
|
|
35
|
+
type AuthSubject = {
|
|
36
|
+
id: string;
|
|
37
|
+
email: string;
|
|
38
|
+
name: string | null;
|
|
39
|
+
};
|
|
40
|
+
type ResolvedAuthUser = {
|
|
41
|
+
id: string;
|
|
42
|
+
};
|
|
43
|
+
type ResolveAuthUser = (subject: AuthSubject) => Promise<ResolvedAuthUser>;
|
|
44
|
+
type AuthMiddlewareConfig = {
|
|
45
|
+
keySet: SupabaseJwtKeySet;
|
|
46
|
+
issuer: string;
|
|
47
|
+
audience?: string;
|
|
48
|
+
resolveAuthUser: ResolveAuthUser;
|
|
49
|
+
};
|
|
50
|
+
type AppEnv = {
|
|
51
|
+
Variables: {
|
|
52
|
+
auth: AuthContext;
|
|
53
|
+
};
|
|
54
|
+
};
|
|
55
|
+
declare function buildAuthSubjectFromClaims(claims: SupabaseJwtClaims): AuthSubject;
|
|
56
|
+
declare function createAuthMiddleware(config: AuthMiddlewareConfig): MiddlewareHandler<AppEnv>;
|
|
57
|
+
|
|
58
|
+
type AssertNotTestCredentialInProductionInput = {
|
|
59
|
+
nodeEnv: string;
|
|
60
|
+
label: string;
|
|
61
|
+
value: string;
|
|
62
|
+
};
|
|
63
|
+
declare function computeCredentialFingerprint(value: string): string;
|
|
64
|
+
declare function assertNotTestCredentialInProduction(input: AssertNotTestCredentialInProductionInput): void;
|
|
65
|
+
|
|
66
|
+
export { type AppEnv, type AssertNotTestCredentialInProductionInput, type AuthContext, type AuthMiddlewareConfig, type AuthSubject, type ResolveAuthUser, type ResolvedAuthUser, SUPABASE_AUTHENTICATED_AUDIENCE, type SupabaseJwks, type SupabaseJwtClaims, SupabaseJwtClaimsSchema, type SupabaseJwtKeySet, type VerifySupabaseJwtInput, assertNotTestCredentialInProduction, buildAuthSubjectFromClaims, computeCredentialFingerprint, createAuthMiddleware, createSupabaseLocalKeySet, createSupabaseRemoteKeySet, verifySupabaseJwt };
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
import { MiddlewareHandler } from 'hono';
|
|
2
|
+
import { JWTVerifyGetKey, JSONWebKeySet } from 'jose';
|
|
3
|
+
import { z } from 'zod';
|
|
4
|
+
|
|
5
|
+
declare const SUPABASE_AUTHENTICATED_AUDIENCE = "authenticated";
|
|
6
|
+
declare const SupabaseJwtClaimsSchema: z.ZodObject<{
|
|
7
|
+
sub: z.ZodString;
|
|
8
|
+
exp: z.ZodNumber;
|
|
9
|
+
iss: z.ZodString;
|
|
10
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
11
|
+
email: z.ZodOptional<z.ZodString>;
|
|
12
|
+
user_metadata: z.ZodOptional<z.ZodObject<{
|
|
13
|
+
name: z.ZodOptional<z.ZodString>;
|
|
14
|
+
full_name: z.ZodOptional<z.ZodString>;
|
|
15
|
+
}, z.core.$strip>>;
|
|
16
|
+
}, z.core.$strip>;
|
|
17
|
+
type SupabaseJwtClaims = z.infer<typeof SupabaseJwtClaimsSchema>;
|
|
18
|
+
type SupabaseJwtKeySet = JWTVerifyGetKey;
|
|
19
|
+
type SupabaseJwks = JSONWebKeySet;
|
|
20
|
+
type VerifySupabaseJwtInput = {
|
|
21
|
+
token: string;
|
|
22
|
+
keySet: SupabaseJwtKeySet;
|
|
23
|
+
issuer: string;
|
|
24
|
+
audience?: string;
|
|
25
|
+
now?: number;
|
|
26
|
+
};
|
|
27
|
+
declare function createSupabaseRemoteKeySet(jwksUrl: string): SupabaseJwtKeySet;
|
|
28
|
+
declare function createSupabaseLocalKeySet(jwks: SupabaseJwks): SupabaseJwtKeySet;
|
|
29
|
+
declare function verifySupabaseJwt(input: VerifySupabaseJwtInput): Promise<SupabaseJwtClaims>;
|
|
30
|
+
|
|
31
|
+
type AuthContext = {
|
|
32
|
+
userId: string;
|
|
33
|
+
authSubjectId: string;
|
|
34
|
+
};
|
|
35
|
+
type AuthSubject = {
|
|
36
|
+
id: string;
|
|
37
|
+
email: string;
|
|
38
|
+
name: string | null;
|
|
39
|
+
};
|
|
40
|
+
type ResolvedAuthUser = {
|
|
41
|
+
id: string;
|
|
42
|
+
};
|
|
43
|
+
type ResolveAuthUser = (subject: AuthSubject) => Promise<ResolvedAuthUser>;
|
|
44
|
+
type AuthMiddlewareConfig = {
|
|
45
|
+
keySet: SupabaseJwtKeySet;
|
|
46
|
+
issuer: string;
|
|
47
|
+
audience?: string;
|
|
48
|
+
resolveAuthUser: ResolveAuthUser;
|
|
49
|
+
};
|
|
50
|
+
type AppEnv = {
|
|
51
|
+
Variables: {
|
|
52
|
+
auth: AuthContext;
|
|
53
|
+
};
|
|
54
|
+
};
|
|
55
|
+
declare function buildAuthSubjectFromClaims(claims: SupabaseJwtClaims): AuthSubject;
|
|
56
|
+
declare function createAuthMiddleware(config: AuthMiddlewareConfig): MiddlewareHandler<AppEnv>;
|
|
57
|
+
|
|
58
|
+
type AssertNotTestCredentialInProductionInput = {
|
|
59
|
+
nodeEnv: string;
|
|
60
|
+
label: string;
|
|
61
|
+
value: string;
|
|
62
|
+
};
|
|
63
|
+
declare function computeCredentialFingerprint(value: string): string;
|
|
64
|
+
declare function assertNotTestCredentialInProduction(input: AssertNotTestCredentialInProductionInput): void;
|
|
65
|
+
|
|
66
|
+
export { type AppEnv, type AssertNotTestCredentialInProductionInput, type AuthContext, type AuthMiddlewareConfig, type AuthSubject, type ResolveAuthUser, type ResolvedAuthUser, SUPABASE_AUTHENTICATED_AUDIENCE, type SupabaseJwks, type SupabaseJwtClaims, SupabaseJwtClaimsSchema, type SupabaseJwtKeySet, type VerifySupabaseJwtInput, assertNotTestCredentialInProduction, buildAuthSubjectFromClaims, computeCredentialFingerprint, createAuthMiddleware, createSupabaseLocalKeySet, createSupabaseRemoteKeySet, verifySupabaseJwt };
|