@blimu/backend 0.7.0 → 1.1.0

package/src/token-verifier.ts

@@ -0,0 +1,280 @@
+import { FetchError } from 'client';
+import * as crypto from 'crypto';
+import * as jwt from 'jsonwebtoken';
+
+export interface JWK {
+  kty: string;
+  use: string;
+  kid: string;
+  alg: string;
+  n: string;
+  e: string;
+}
+
+export interface JWKSet {
+  keys: JWK[];
+}
+
+interface CachedJWK {
+  key: crypto.KeyObject;
+  kid: string;
+  expiresAt: number;
+}
+
+export interface VerifyTokenOptions {
+  url?: string; // Direct URL to JWK endpoint (for custom scenarios)
+  secretKey?: string; // API key/secret key - uses runtimeApiUrl + JWK endpoint
+  token: string;
+  runtimeApiUrl?: string; // Optional override for runtime API URL
+}
+
+export interface TokenVerifierOptions {
+  runtimeApiUrl?: string; // Default from BLIMU_AUTH_API_URL env var
+  cacheTTL?: number; // Default: 1 hour
+}
+
+export class TokenVerifier {
+  private readonly cache = new Map<string, CachedJWK>();
+  private readonly cacheTTL: number;
+  private readonly runtimeApiUrl: string;
+
+  constructor(options?: TokenVerifierOptions) {
+    this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1000; // 1 hour
+
+    const blimuAuthApiUrl =
+      typeof process !== 'undefined' && process.env.BLIMU_AUTH_API_URL
+        ? process.env.BLIMU_AUTH_API_URL
+        : undefined;
+
+    // if we have secretKey, we can call runtime-api directly, otherwise we need to use customer specific auth-api
+    this.runtimeApiUrl = blimuAuthApiUrl ?? 'https://api.blimu.dev';
+  }
+
+  /**
+   * Fetch JWK Set from runtime-api
+   */
+  private async fetchJWKSet(
+    endpoint: string,
+    headers?: Record<string, string>
+  ): Promise<JWKSet> {
+    console.log(`[TokenVerifier] 📡 Fetching JWK Set from: ${endpoint}`);
+    if (headers) {
+      console.log(
+        `[TokenVerifier] 📡 Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === 'x-api-key' ? '***' : headers[k]}`))}`
+      );
+    }
+
+    const response = await fetch(endpoint, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        ...headers,
+      },
+    });
+
+    console.log(
+      `[TokenVerifier] 📡 Response status: ${response.status} ${response.statusText}`
+    );
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      console.error(
+        `[TokenVerifier] ❌ Failed to fetch JWKs: ${response.status} ${errorText}`
+      );
+      throw new FetchError('Failed to fetch JWKs', response.status, errorText);
+    }
+
+    const jwkSet = (await response.json()) as JWKSet;
+    console.log(
+      `[TokenVerifier] ✅ Successfully fetched JWK Set with ${jwkSet.keys.length} keys`
+    );
+    return jwkSet;
+  }
+
+  /**
+   * Convert JWK to KeyObject
+   */
+  private jwkToKeyObject(jwk: JWK): crypto.KeyObject {
+    return crypto.createPublicKey({
+      key: {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        alg: jwk.alg,
+      },
+      format: 'jwk',
+    });
+  }
+
+  /**
+   * Get public key for a specific key ID
+   */
+  private async getPublicKey(
+    kid: string,
+    cacheKey: string,
+    endpoint: string,
+    headers?: Record<string, string>
+  ): Promise<crypto.KeyObject> {
+    // Check cache first
+    const cached = this.cache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) {
+      console.log(`[TokenVerifier] ✅ Using cached key for kid: ${kid}`);
+      return cached.key;
+    }
+
+    console.log(
+      `[TokenVerifier] 🔍 Cache miss or expired. Fetching new key for kid: ${kid}`
+    );
+
+    // Fetch JWK Set
+    const jwkSet = await this.fetchJWKSet(endpoint, headers);
+
+    // Find the key with matching kid
+    const jwk = jwkSet.keys.find((k) => k.kid === kid);
+    if (!jwk) {
+      const availableKids = jwkSet.keys.map((k) => k.kid).join(', ');
+      console.error(
+        `[TokenVerifier] ❌ Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
+      );
+      throw new Error(
+        `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
+      );
+    }
+
+    console.log(`[TokenVerifier] ✅ Found key with kid: ${kid}`);
+
+    // Convert JWK to KeyObject
+    const keyObject = this.jwkToKeyObject(jwk);
+
+    // Cache the key
+    this.cache.set(cacheKey, {
+      key: keyObject,
+      kid,
+      expiresAt: Date.now() + this.cacheTTL,
+    });
+
+    return keyObject;
+  }
+
+  /**
+   * Verify JWT token using JWKs from runtime-api
+   */
+  async verifyToken<T = any>(options: VerifyTokenOptions): Promise<T> {
+    const { url, secretKey, token, runtimeApiUrl } = options;
+
+    if (!url && !secretKey) {
+      throw new Error('Either url or secretKey must be provided');
+    }
+
+    if (url && secretKey) {
+      throw new Error('Cannot provide both url and secretKey');
+    }
+
+    // Decode token header to get kid (without verification)
+    const decoded = jwt.decode(token, { complete: true });
+    if (!decoded || typeof decoded === 'string') {
+      throw new Error('Invalid token format');
+    }
+
+    const header = decoded.header;
+    if (!header.kid) {
+      throw new Error('Token missing kid in header');
+    }
+
+    let endpoint: string;
+    let cacheKey: string;
+    let headers: Record<string, string> | undefined;
+
+    if (secretKey) {
+      // Use secretKey with runtimeApiUrl
+      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
+      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
+      cacheKey = secretKey;
+      headers = {
+        'x-api-key': secretKey,
+      };
+      console.log(
+        `[TokenVerifier] 🔍 Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
+      );
+    } else {
+      // Use direct URL
+      endpoint = url!;
+      cacheKey = url!;
+      console.log(
+        `[TokenVerifier] 🔍 Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
+      );
+    }
+
+    // Get public key for this kid
+    let publicKey: crypto.KeyObject;
+    try {
+      publicKey = await this.getPublicKey(
+        header.kid,
+        cacheKey,
+        endpoint,
+        headers
+      );
+      console.log(
+        `[TokenVerifier] ✅ Successfully retrieved public key for kid: ${header.kid}`
+      );
+    } catch (error) {
+      console.error(
+        `[TokenVerifier] ❌ Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
+      );
+      // If verification fails, clear cache and retry once (handles key rotation)
+      this.clearCache(cacheKey);
+      console.log(`[TokenVerifier] 🔄 Retrying after cache clear...`);
+      try {
+        publicKey = await this.getPublicKey(
+          header.kid,
+          cacheKey,
+          endpoint,
+          headers
+        );
+        console.log(
+          `[TokenVerifier] ✅ Successfully retrieved public key for kid: ${header.kid} (retry)`
+        );
+      } catch (retryError) {
+        console.error(
+          `[TokenVerifier] ❌ Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
+        );
+        throw retryError;
+      }
+    }
+
+    // Verify token
+    try {
+      const payload = jwt.verify(token, publicKey, {
+        algorithms: ['RS256'],
+      }) as T;
+      console.log(`[TokenVerifier] ✅ Token verified successfully`);
+      return payload;
+    } catch (error) {
+      console.error(
+        `[TokenVerifier] ❌ JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
+      );
+      throw error;
+    }
+  }
+
+  /**
+   * Clear cache (useful for testing or key rotation)
+   */
+  clearCache(secretKeyOrUrl?: string): void {
+    if (secretKeyOrUrl) {
+      this.cache.delete(secretKeyOrUrl);
+    } else {
+      this.cache.clear();
+    }
+  }
+}
+
+/**
+ * Convenience function to verify a token
+ */
+export async function verifyToken<T = any>(
+  options: VerifyTokenOptions
+): Promise<T> {
+  const verifier = new TokenVerifier();
+  return verifier.verifyToken<T>(options);
+}

package/src/utils.ts

@@ -0,0 +1,56 @@
+import { parseSSEStream, parseNDJSONStream } from '@blimu/fetch';
+
+export type PaginableQuery = { limit?: number; offset?: number } & Record<
+  string,
+  unknown
+>;
+
+export async function* paginate<T>(
+  fetchPage: (
+    query?: any,
+    init?: Omit<RequestInit, 'method' | 'body'>
+  ) => Promise<{
+    data?: T[];
+    hasMore?: boolean;
+    limit?: number;
+    offset?: number;
+  }>,
+  initialQuery: PaginableQuery = {},
+  pageSize = 100
+): AsyncGenerator<T, void, unknown> {
+  let offset = Number(initialQuery.offset ?? 0);
+  const limit = Number(initialQuery.limit ?? pageSize);
+  // shallow copy to avoid mutating caller
+  const baseQuery: any = { ...initialQuery };
+  while (true) {
+    const page = await fetchPage({ ...baseQuery, limit, offset });
+    const items = page.data ?? [];
+    for (const item of items) {
+      yield item as T;
+    }
+    if (!page.hasMore || items.length < limit) break;
+    offset += limit;
+  }
+}
+
+export async function listAll<T>(
+  fetchPage: (
+    query?: any,
+    init?: Omit<RequestInit, 'method' | 'body'>
+  ) => Promise<{
+    data?: T[];
+    hasMore?: boolean;
+    limit?: number;
+    offset?: number;
+  }>,
+  query: PaginableQuery = {},
+  pageSize = 100
+): Promise<T[]> {
+  const out: T[] = [];
+  for await (const item of paginate<T>(fetchPage, query, pageSize))
+    out.push(item);
+  return out;
+}
+
+// Re-export streaming parsers from @blimu/fetch
+export { parseSSEStream, parseNDJSONStream };

package/scripts/download-binary.js

@@ -1,243 +0,0 @@
-#!/usr/bin/env node
-
-const https = require('https');
-const fs = require('fs');
-const path = require('path');
-const { execSync } = require('child_process');
-
-const BIN_DIR = path.join(__dirname, '..', 'bin');
-const GITHUB_REPO = 'blimu-dev/blimu-cli';
-
-// Platform mapping
-const platformMap = {
-  darwin: 'darwin',
-  linux: 'linux',
-  win32: 'windows',
-};
-
-// Architecture mapping
-const archMap = {
-  x64: 'amd64',
-  arm64: 'arm64',
-};
-
-function getPlatformInfo() {
-  const platform = process.platform;
-  const arch = process.arch;
-
-  const goPlatform = platformMap[platform];
-  const goArch = archMap[arch];
-
-  if (!goPlatform || !goArch) {
-    throw new Error(
-      `Unsupported platform: ${platform}/${arch}. Supported platforms: darwin, linux, win32. Supported architectures: x64, arm64`,
-    );
-  }
-
-  const binaryName = platform === 'win32' ? 'blimu.exe' : 'blimu';
-  const assetName = `blimu-${goPlatform}-${goArch}${platform === 'win32' ? '.exe' : ''}`;
-
-  return {
-    platform: goPlatform,
-    arch: goArch,
-    binaryName,
-    assetName,
-  };
-}
-
-/**
- * Verify that an existing binary matches the current platform/architecture
- * Returns true if the binary is correct, false otherwise
- */
-function verifyBinaryArchitecture(binaryPath) {
-  try {
-    // Use 'file' command to check binary type (available on macOS and Linux)
-    const output = execSync(`file "${binaryPath}"`, { encoding: 'utf8' });
-
-    const platform = process.platform;
-    const arch = process.arch;
-
-    if (platform === 'darwin') {
-      // macOS: should be "Mach-O 64-bit executable arm64" or "Mach-O 64-bit executable x86_64"
-      const expectedArch = arch === 'arm64' ? 'arm64' : 'x86_64';
-      if (!output.includes('Mach-O') || !output.includes(expectedArch)) {
-        return false;
-      }
-    } else if (platform === 'linux') {
-      // Linux: should be "ELF 64-bit LSB executable, x86-64" or "ELF 64-bit LSB executable, ARM aarch64"
-      const expectedArch = arch === 'arm64' ? 'ARM aarch64' : 'x86-64';
-      if (!output.includes('ELF') || !output.includes(expectedArch)) {
-        return false;
-      }
-    } else if (platform === 'win32') {
-      // Windows: should be "PE32+ executable"
-      if (!output.includes('PE32+')) {
-        return false;
-      }
-    }
-
-    return true;
-  } catch (err) {
-    // If 'file' command fails or is not available, assume binary is incorrect to be safe
-    // This will trigger a re-download
-    return false;
-  }
-}
-
-function downloadFile(url, dest) {
-  return new Promise((resolve, reject) => {
-    const file = fs.createWriteStream(dest);
-    https
-      .get(url, (response) => {
-        if (response.statusCode === 302 || response.statusCode === 301) {
-          // Follow redirect
-          return downloadFile(response.headers.location, dest).then(resolve).catch(reject);
-        }
-        if (response.statusCode !== 200) {
-          file.close();
-          fs.unlinkSync(dest);
-          reject(new Error(`Failed to download: ${response.statusCode} ${response.statusMessage}`));
-          return;
-        }
-        response.pipe(file);
-        file.on('finish', () => {
-          file.close();
-          resolve();
-        });
-      })
-      .on('error', (err) => {
-        file.close();
-        if (fs.existsSync(dest)) {
-          fs.unlinkSync(dest);
-        }
-        reject(err);
-      });
-  });
-}
-
-function getReleaseUrl(version, assetName) {
-  return new Promise((resolve, reject) => {
-    // Always use latest release - version parameter is ignored
-    const tag = 'latest';
-    const url = `https://api.github.com/repos/${GITHUB_REPO}/releases/${tag}`;
-
-    https
-      .get(
-        url,
-        {
-          headers: {
-            'User-Agent': 'blimu-ts-installer',
-            Accept: 'application/vnd.github.v3+json',
-          },
-        },
-        (res) => {
-          let data = '';
-          res.on('data', (chunk) => {
-            data += chunk;
-          });
-          res.on('end', () => {
-            if (res.statusCode === 404) {
-              reject(
-                new Error(
-                  `Latest CLI release not found. Please check the blimu-cli repository for available releases.`,
-                ),
-              );
-              return;
-            }
-            if (res.statusCode !== 200) {
-              reject(
-                new Error(`Failed to fetch latest release: ${res.statusCode} ${res.statusMessage}`),
-              );
-              return;
-            }
-            try {
-              const release = JSON.parse(data);
-              const asset = release.assets.find((a) => a.name === assetName);
-              if (!asset) {
-                reject(new Error(`Asset ${assetName} not found in latest release`));
-                return;
-              }
-              resolve(asset.browser_download_url);
-            } catch (err) {
-              reject(err);
-            }
-          });
-        },
-      )
-      .on('error', reject);
-  });
-}
-
-async function main(version) {
-  try {
-    // Always use latest version - version parameter is ignored for consistency
-    // This ensures users always get the latest CLI features and fixes
-    version = null;
-
-    const { binaryName, assetName } = getPlatformInfo();
-
-    // Create bin directory if it doesn't exist
-    if (!fs.existsSync(BIN_DIR)) {
-      fs.mkdirSync(BIN_DIR, { recursive: true });
-    }
-
-    const binaryPath = path.join(BIN_DIR, binaryName);
-
-    // Check if binary already exists and is executable
-    if (fs.existsSync(binaryPath)) {
-      // Verify the binary matches the current platform/architecture
-      const isCorrectArchitecture = verifyBinaryArchitecture(binaryPath);
-
-      if (isCorrectArchitecture) {
-        try {
-          // Try to make it executable (Unix only)
-          if (process.platform !== 'win32') {
-            fs.chmodSync(binaryPath, 0o755);
-          }
-          console.log(`✅ Blimu CLI binary already exists at ${binaryPath}`);
-          return;
-        } catch (err) {
-          // If we can't check/update permissions, continue to download
-        }
-      } else {
-        // Binary exists but is for wrong platform/architecture - delete it
-        console.log(`⚠️  Existing binary is for wrong platform/architecture, will re-download...`);
-        try {
-          fs.unlinkSync(binaryPath);
-        } catch (err) {
-          console.warn(`Warning: Could not delete incorrect binary: ${err.message}`);
-        }
-      }
-    }
-
-    console.log(
-      `📥 Downloading Blimu CLI binary (latest) for ${process.platform}/${process.arch}...`,
-    );
-
-    // Get release download URL
-    const downloadUrl = await getReleaseUrl(version, assetName);
-    console.log(`🔗 Download URL: ${downloadUrl}`);
-
-    // Download the binary
-    await downloadFile(downloadUrl, binaryPath);
-
-    // Make binary executable (Unix only)
-    if (process.platform !== 'win32') {
-      fs.chmodSync(binaryPath, 0o755);
-    }
-
-    console.log(`✅ Blimu CLI binary downloaded successfully to ${binaryPath}`);
-  } catch (error) {
-    console.error(`❌ Failed to download Blimu CLI binary: ${error.message}`);
-    console.error(`\nYou can manually install it by running:`);
-    console.error(`  go install github.com/blimu-dev/blimu-cli/cmd/blimucli@latest`);
-    console.error(`\nOr download from: https://github.com/${GITHUB_REPO}/releases/latest`);
-    process.exit(1);
-  }
-}
-
-if (require.main === module) {
-  main();
-}
-
-module.exports = { main, getPlatformInfo };

package/scripts/postinstall.js

@@ -1,24 +0,0 @@
-#!/usr/bin/env node
-
-const path = require('path');
-const fs = require('fs');
-const { main } = require('./download-binary');
-
-// Only run download if we're in a production install (not in development)
-// Check if we're in node_modules (production install) or in the repo (development)
-const isProductionInstall = __dirname.includes('node_modules');
-
-if (isProductionInstall || process.env.BLIMU_DOWNLOAD_CLI !== 'false') {
-  // Always download the latest CLI version
-  main(null).catch((error) => {
-    // Fail the install if binary download fails
-    console.error('Error: Failed to download Blimu CLI binary during install.');
-    console.error(error.message);
-    console.error('\nThe package will download the latest available CLI version.');
-    console.error('\nYou can manually install it by running:');
-    console.error('  go install github.com/blimu-dev/blimu-cli/cmd/blimucli@latest');
-    process.exit(1);
-  });
-} else {
-  console.log('Skipping Blimu CLI binary download (development mode)');
-}