npm - @blimu/backend - Versions diffs - 1.1.4 → 1.2.0 - Mend

@blimu/backend 1.1.4 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/dist/client-B-ZYoU15.d.mts +95 -0
package/dist/client-GKBT3WCg.d.ts +95 -0
package/dist/client.d.mts +1 -30
package/dist/client.d.ts +1 -30
package/dist/index.cjs +4 -4
package/dist/index.cjs.map +1 -1
package/dist/index.d.mts +469 -13
package/dist/index.d.ts +469 -13
package/package.json +2 -2
package/dist/__tests__/token-verifier.test.cjs +0 -17662
package/dist/__tests__/token-verifier.test.cjs.map +0 -1
package/dist/__tests__/token-verifier.test.d.mts +0 -2
package/dist/__tests__/token-verifier.test.d.ts +0 -2
package/dist/__tests__/token-verifier.test.mjs +0 -17661
package/dist/__tests__/token-verifier.test.mjs.map +0 -1
package/dist/auth-strategies.cjs +0 -42
package/dist/auth-strategies.cjs.map +0 -1
package/dist/auth-strategies.d.mts +0 -16
package/dist/auth-strategies.d.ts +0 -16
package/dist/auth-strategies.mjs +0 -17
package/dist/auth-strategies.mjs.map +0 -1
package/dist/schema.zod-DtXVS-1g.d.mts +0 -434
package/dist/schema.zod-DtXVS-1g.d.ts +0 -434
package/dist/schema.zod.cjs +0 -489
package/dist/schema.zod.cjs.map +0 -1
package/dist/schema.zod.d.mts +0 -2
package/dist/schema.zod.d.ts +0 -2
package/dist/schema.zod.mjs +0 -427
package/dist/schema.zod.mjs.map +0 -1
package/dist/services/bulk_resources.cjs +0 -48
package/dist/services/bulk_resources.cjs.map +0 -1
package/dist/services/bulk_resources.d.mts +0 -10
package/dist/services/bulk_resources.d.ts +0 -10
package/dist/services/bulk_resources.mjs +0 -23
package/dist/services/bulk_resources.mjs.map +0 -1
package/dist/services/bulk_roles.cjs +0 -48
package/dist/services/bulk_roles.cjs.map +0 -1
package/dist/services/bulk_roles.d.mts +0 -10
package/dist/services/bulk_roles.d.ts +0 -10
package/dist/services/bulk_roles.mjs +0 -23
package/dist/services/bulk_roles.mjs.map +0 -1
package/dist/services/entitlements.cjs +0 -72
package/dist/services/entitlements.cjs.map +0 -1
package/dist/services/entitlements.d.mts +0 -12
package/dist/services/entitlements.d.ts +0 -12
package/dist/services/entitlements.mjs +0 -47
package/dist/services/entitlements.mjs.map +0 -1
package/dist/services/plans.cjs +0 -70
package/dist/services/plans.cjs.map +0 -1
package/dist/services/plans.d.mts +0 -12
package/dist/services/plans.d.ts +0 -12
package/dist/services/plans.mjs +0 -45
package/dist/services/plans.mjs.map +0 -1
package/dist/services/resource_members.cjs +0 -48
package/dist/services/resource_members.cjs.map +0 -1
package/dist/services/resource_members.d.mts +0 -10
package/dist/services/resource_members.d.ts +0 -10
package/dist/services/resource_members.mjs +0 -23
package/dist/services/resource_members.mjs.map +0 -1
package/dist/services/resources.cjs +0 -94
package/dist/services/resources.cjs.map +0 -1
package/dist/services/resources.d.mts +0 -14
package/dist/services/resources.d.ts +0 -14
package/dist/services/resources.mjs +0 -69
package/dist/services/resources.mjs.map +0 -1
package/dist/services/roles.cjs +0 -71
package/dist/services/roles.cjs.map +0 -1
package/dist/services/roles.d.mts +0 -12
package/dist/services/roles.d.ts +0 -12
package/dist/services/roles.mjs +0 -46
package/dist/services/roles.mjs.map +0 -1
package/dist/services/usage.cjs +0 -96
package/dist/services/usage.cjs.map +0 -1
package/dist/services/usage.d.mts +0 -14
package/dist/services/usage.d.ts +0 -14
package/dist/services/usage.mjs +0 -71
package/dist/services/usage.mjs.map +0 -1
package/dist/services/users.cjs +0 -105
package/dist/services/users.cjs.map +0 -1
package/dist/services/users.d.mts +0 -15
package/dist/services/users.d.ts +0 -15
package/dist/services/users.mjs +0 -80
package/dist/services/users.mjs.map +0 -1
package/dist/token-verifier.cjs +0 -218
package/dist/token-verifier.cjs.map +0 -1
package/dist/token-verifier.d.mts +0 -35
package/dist/token-verifier.d.ts +0 -35
package/dist/token-verifier.mjs +0 -180
package/dist/token-verifier.mjs.map +0 -1

package/dist/services/users.mjs DELETED Viewed

@@ -1,80 +0,0 @@
-// src/services/users.ts
-import "@blimu/fetch";
-var UsersService = class {
-  constructor(core) {
-    this.core = core;
-  }
-  /**
-   * GET /v1/users*
-   * @summary List users*
-   * @description Retrieves a paginated list of users in your environment. Supports search functionality to filter users by email, name, or lookup key.*/
-  list(query, init) {
-    return this.core.request({
-      method: "GET",
-      path: `/v1/users`,
-      query,
-      ...init ?? {}
-    });
-  }
-  /**
-   * POST /v1/users*
-   * @summary Create a user*
-   * @description Creates a new user in your environment. The lookupKey is a unique identifier that you can use to reference the user in your system. It should be stable and not change over time.*/
-  create(body, init) {
-    return this.core.request({
-      method: "POST",
-      path: `/v1/users`,
-      body,
-      ...init ?? {}
-    });
-  }
-  /**
-   * DELETE /v1/users/{userId}*
-   * @summary Delete a user*
-   * @description Deletes a user by their ID or lookup key. This operation is permanent and cannot be undone. Deleting a user will also remove all role assignments for that user.*/
-  delete(userId, init) {
-    return this.core.request({
-      method: "DELETE",
-      path: `/v1/users/${encodeURIComponent(userId)}`,
-      ...init ?? {}
-    });
-  }
-  /**
-   * GET /v1/users/{userId}*
-   * @summary Get a user by ID*
-   * @description Retrieves a single user by their ID or lookup key. Returns user information including email, name, and metadata.*/
-  read(userId, init) {
-    return this.core.request({
-      method: "GET",
-      path: `/v1/users/${encodeURIComponent(userId)}`,
-      ...init ?? {}
-    });
-  }
-  /**
-   * PUT /v1/users/{userId}*
-   * @summary Update a user*
-   * @description Updates an existing user. You can modify email, name, and other user properties. The lookupKey can be updated but should remain stable.*/
-  update(userId, body, init) {
-    return this.core.request({
-      method: "PUT",
-      path: `/v1/users/${encodeURIComponent(userId)}`,
-      body,
-      ...init ?? {}
-    });
-  }
-  /**
-   * GET /v1/users/{userId}/effective-user-resources-roles*
-   * @summary List effective user resources roles*
-   * @description Retrieves all resources and roles for a user, including inherited roles from parent resources. The response indicates whether each role is directly assigned or inherited through resource hierarchies.*/
-  listEffectiveUserResourcesRoles(userId, init) {
-    return this.core.request({
-      method: "GET",
-      path: `/v1/users/${encodeURIComponent(userId)}/effective-user-resources-roles`,
-      ...init ?? {}
-    });
-  }
-};
-export {
-  UsersService
-};
-//# sourceMappingURL=users.mjs.map

package/dist/services/users.mjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../../src/services/users.ts"],"sourcesContent":["import { FetchClient } from '@blimu/fetch';\nimport * as Schema from '../schema';\n\nexport class UsersService {\n constructor(private core: FetchClient) {}\n\n /**\n * GET /v1/users*\n * @summary List users*\n * @description Retrieves a paginated list of users in your environment. Supports search functionality to filter users by email, name, or lookup key.*/\n list(\n query?: Schema.UsersListQuery,\n init?: Omit<RequestInit, 'method' | 'body'>\n ): Promise<Schema.UserList> {\n return this.core.request({\n method: 'GET',\n path: `/v1/users`,\n query,\n ...(init ?? {}),\n });\n }\n\n /**\n * POST /v1/users*\n * @summary Create a user*\n * @description Creates a new user in your environment. The lookupKey is a unique identifier that you can use to reference the user in your system. It should be stable and not change over time.*/\n create(\n body: Schema.UserCreateBody,\n init?: Omit<RequestInit, 'method' | 'body'>\n ): Promise<Schema.User> {\n return this.core.request({\n method: 'POST',\n path: `/v1/users`,\n body,\n ...(init ?? {}),\n });\n }\n\n /**\n * DELETE /v1/users/{userId}*\n * @summary Delete a user*\n * @description Deletes a user by their ID or lookup key. This operation is permanent and cannot be undone. Deleting a user will also remove all role assignments for that user.*/\n delete(userId: string, init?: Omit<RequestInit, 'method' | 'body'>): Promise<unknown> {\n return this.core.request({\n method: 'DELETE',\n path: `/v1/users/${encodeURIComponent(userId)}`,\n ...(init ?? {}),\n });\n }\n\n /**\n * GET /v1/users/{userId}*\n * @summary Get a user by ID*\n * @description Retrieves a single user by their ID or lookup key. Returns user information including email, name, and metadata.*/\n read(userId: string, init?: Omit<RequestInit, 'method' | 'body'>): Promise<Schema.User> {\n return this.core.request({\n method: 'GET',\n path: `/v1/users/${encodeURIComponent(userId)}`,\n ...(init ?? {}),\n });\n }\n\n /**\n * PUT /v1/users/{userId}*\n * @summary Update a user*\n * @description Updates an existing user. You can modify email, name, and other user properties. The lookupKey can be updated but should remain stable.*/\n update(\n userId: string,\n body: Schema.UserUpdateBody,\n init?: Omit<RequestInit, 'method' | 'body'>\n ): Promise<Schema.User> {\n return this.core.request({\n method: 'PUT',\n path: `/v1/users/${encodeURIComponent(userId)}`,\n body,\n ...(init ?? {}),\n });\n }\n\n /**\n * GET /v1/users/{userId}/effective-user-resources-roles*\n * @summary List effective user resources roles*\n * @description Retrieves all resources and roles for a user, including inherited roles from parent resources. The response indicates whether each role is directly assigned or inherited through resource hierarchies.*/\n listEffectiveUserResourcesRoles(\n userId: string,\n init?: Omit<RequestInit, 'method' | 'body'>\n ): Promise<Schema.UserResourceList> {\n return this.core.request({\n method: 'GET',\n path: `/v1/users/${encodeURIComponent(userId)}/effective-user-resources-roles`,\n ...(init ?? {}),\n });\n }\n}\n"],"mappings":";AAAA,OAA4B;AAGrB,IAAM,eAAN,MAAmB;AAAA,EACxB,YAAoB,MAAmB;AAAnB;AAAA,EAAoB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxC,KACE,OACA,MAC0B;AAC1B,WAAO,KAAK,KAAK,QAAQ;AAAA,MACvB,QAAQ;AAAA,MACR,MAAM;AAAA,MACN;AAAA,MACA,GAAI,QAAQ,CAAC;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OACE,MACA,MACsB;AACtB,WAAO,KAAK,KAAK,QAAQ;AAAA,MACvB,QAAQ;AAAA,MACR,MAAM;AAAA,MACN;AAAA,MACA,GAAI,QAAQ,CAAC;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAO,QAAgB,MAA+D;AACpF,WAAO,KAAK,KAAK,QAAQ;AAAA,MACvB,QAAQ;AAAA,MACR,MAAM,aAAa,mBAAmB,MAAM,CAAC;AAAA,MAC7C,GAAI,QAAQ,CAAC;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,KAAK,QAAgB,MAAmE;AACtF,WAAO,KAAK,KAAK,QAAQ;AAAA,MACvB,QAAQ;AAAA,MACR,MAAM,aAAa,mBAAmB,MAAM,CAAC;AAAA,MAC7C,GAAI,QAAQ,CAAC;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OACE,QACA,MACA,MACsB;AACtB,WAAO,KAAK,KAAK,QAAQ;AAAA,MACvB,QAAQ;AAAA,MACR,MAAM,aAAa,mBAAmB,MAAM,CAAC;AAAA,MAC7C;AAAA,MACA,GAAI,QAAQ,CAAC;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gCACE,QACA,MACkC;AAClC,WAAO,KAAK,KAAK,QAAQ;AAAA,MACvB,QAAQ;AAAA,MACR,MAAM,aAAa,mBAAmB,MAAM,CAAC;AAAA,MAC7C,GAAI,QAAQ,CAAC;AAAA,IACf,CAAC;AAAA,EACH;AACF;","names":[]}

package/dist/token-verifier.cjs DELETED Viewed

@@ -1,218 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-// src/token-verifier.ts
-var token_verifier_exports = {};
-__export(token_verifier_exports, {
-  TokenVerifier: () => TokenVerifier,
-  verifyToken: () => verifyToken
-});
-module.exports = __toCommonJS(token_verifier_exports);
-// src/client.ts
-var import_fetch = require("@blimu/fetch");
-var import_fetch2 = require("@blimu/fetch");
-// src/token-verifier.ts
-var crypto = __toESM(require("crypto"));
-var jwt = __toESM(require("jsonwebtoken"));
-var TokenVerifier = class {
-  cache = /* @__PURE__ */ new Map();
-  cacheTTL;
-  runtimeApiUrl;
-  constructor(options) {
-    this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1e3;
-    this.runtimeApiUrl = options?.runtimeApiUrl ?? "https://api.blimu.dev";
-  }
-  /**
-   * Fetch JWK Set from runtime-api
-   */
-  async fetchJWKSet(endpoint, headers) {
-    console.log(`[TokenVerifier] \u{1F4E1} Fetching JWK Set from: ${endpoint}`);
-    if (headers) {
-      console.log(
-        `[TokenVerifier] \u{1F4E1} Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === "x-api-key" ? "***" : headers[k]}`))}`
-      );
-    }
-    const response = await fetch(endpoint, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-        ...headers
-      }
-    });
-    console.log(`[TokenVerifier] \u{1F4E1} Response status: ${response.status} ${response.statusText}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new import_fetch.FetchError("Failed to fetch JWKs", response.status, errorText);
-    }
-    const jwkSet = await response.json();
-    console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);
-    return jwkSet;
-  }
-  /**
-   * Convert JWK to KeyObject
-   */
-  jwkToKeyObject(jwk) {
-    return crypto.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e,
-        alg: jwk.alg
-      },
-      format: "jwk"
-    });
-  }
-  /**
-   * Get public key for a specific key ID
-   */
-  async getPublicKey(kid, cacheKey, endpoint, headers) {
-    const cached = this.cache.get(cacheKey);
-    if (cached && cached.expiresAt > Date.now()) {
-      console.log(`[TokenVerifier] \u2705 Using cached key for kid: ${kid}`);
-      return cached.key;
-    }
-    console.log(`[TokenVerifier] \u{1F50D} Cache miss or expired. Fetching new key for kid: ${kid}`);
-    const jwkSet = await this.fetchJWKSet(endpoint, headers);
-    const jwk = jwkSet.keys.find((k) => k.kid === kid);
-    if (!jwk) {
-      const availableKids = jwkSet.keys.map((k) => k.kid).join(", ");
-      console.error(
-        `[TokenVerifier] \u274C Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
-      throw new Error(
-        `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
-    }
-    console.log(`[TokenVerifier] \u2705 Found key with kid: ${kid}`);
-    const keyObject = this.jwkToKeyObject(jwk);
-    this.cache.set(cacheKey, {
-      key: keyObject,
-      kid,
-      expiresAt: Date.now() + this.cacheTTL
-    });
-    return keyObject;
-  }
-  /**
-   * Verify JWT token using JWKs from runtime-api
-   */
-  async verifyToken(options) {
-    const { url, secretKey, token, runtimeApiUrl } = options;
-    if (!url && !secretKey) {
-      throw new Error("Either url or secretKey must be provided");
-    }
-    if (url && secretKey) {
-      throw new Error("Cannot provide both url and secretKey");
-    }
-    const decoded = jwt.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
-      throw new Error("Invalid token format");
-    }
-    const header = decoded.header;
-    if (!header.kid) {
-      throw new Error("Token missing kid in header");
-    }
-    let endpoint;
-    let cacheKey;
-    let headers;
-    if (secretKey) {
-      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
-      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
-      cacheKey = secretKey;
-      headers = {
-        "x-api-key": secretKey
-      };
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
-    } else {
-      endpoint = url;
-      cacheKey = url;
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
-    }
-    let publicKey;
-    try {
-      publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-      console.log(`[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid}`);
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
-      );
-      this.clearCache(cacheKey);
-      console.log(`[TokenVerifier] \u{1F504} Retrying after cache clear...`);
-      try {
-        publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-        console.log(
-          `[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid} (retry)`
-        );
-      } catch (retryError) {
-        console.error(
-          `[TokenVerifier] \u274C Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
-        );
-        throw retryError;
-      }
-    }
-    try {
-      const payload = jwt.verify(token, publicKey, {
-        algorithms: ["RS256"]
-      });
-      console.log(`[TokenVerifier] \u2705 Token verified successfully`);
-      return payload;
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
-      );
-      throw error;
-    }
-  }
-  /**
-   * Clear cache (useful for testing or key rotation)
-   */
-  clearCache(secretKeyOrUrl) {
-    if (secretKeyOrUrl) {
-      this.cache.delete(secretKeyOrUrl);
-    } else {
-      this.cache.clear();
-    }
-  }
-};
-async function verifyToken(options) {
-  const verifier = new TokenVerifier();
-  return verifier.verifyToken(options);
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  TokenVerifier,
-  verifyToken
-});
-//# sourceMappingURL=token-verifier.cjs.map

package/dist/token-verifier.cjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/token-verifier.ts","../src/client.ts"],"sourcesContent":["import { FetchError } from './client';\nimport * as crypto from 'crypto';\nimport * as jwt from 'jsonwebtoken';\n\nexport interface JWK {\n kty: string;\n use: string;\n kid: string;\n alg: string;\n n: string;\n e: string;\n}\n\nexport interface JWKSet {\n keys: JWK[];\n}\n\ninterface CachedJWK {\n key: crypto.KeyObject;\n kid: string;\n expiresAt: number;\n}\n\nexport interface VerifyTokenOptions {\n url?: string; // Direct URL to JWK endpoint (for custom scenarios)\n secretKey?: string; // API key/secret key - uses runtimeApiUrl + JWK endpoint\n token: string;\n runtimeApiUrl?: string | undefined; // Optional override for runtime API URL\n}\n\nexport interface TokenVerifierOptions {\n runtimeApiUrl?: string | undefined;\n cacheTTL?: number | undefined; // Default: 1 hour\n}\n\nexport class TokenVerifier {\n private readonly cache = new Map<string, CachedJWK>();\n private readonly cacheTTL: number;\n private readonly runtimeApiUrl: string;\n\n constructor(options?: TokenVerifierOptions) {\n this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1000; // 1 hour\n\n this.runtimeApiUrl = options?.runtimeApiUrl ?? 'https://api.blimu.dev';\n }\n\n /**\n * Fetch JWK Set from runtime-api\n */\n private async fetchJWKSet(endpoint: string, headers?: Record<string, string>): Promise<JWKSet> {\n console.log(`[TokenVerifier] 📡 Fetching JWK Set from: ${endpoint}`);\n if (headers) {\n console.log(\n `[TokenVerifier] 📡 Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === 'x-api-key' ? '***' : headers[k]}`))}`\n );\n }\n\n const response = await fetch(endpoint, {\n method: 'GET',\n headers: {\n 'Content-Type': 'application/json',\n ...headers,\n },\n });\n\n console.log(`[TokenVerifier] 📡 Response status: ${response.status} ${response.statusText}`);\n\n if (!response.ok) {\n const errorText = await response.text();\n console.error(`[TokenVerifier] ❌ Failed to fetch JWKs: ${response.status} ${errorText}`);\n throw new FetchError('Failed to fetch JWKs', response.status, errorText);\n }\n\n const jwkSet = (await response.json()) as JWKSet;\n console.log(`[TokenVerifier] ✅ Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);\n return jwkSet;\n }\n\n /**\n * Convert JWK to KeyObject\n */\n private jwkToKeyObject(jwk: JWK): crypto.KeyObject {\n return crypto.createPublicKey({\n key: {\n kty: jwk.kty,\n n: jwk.n,\n e: jwk.e,\n alg: jwk.alg,\n },\n format: 'jwk',\n });\n }\n\n /**\n * Get public key for a specific key ID\n */\n private async getPublicKey(\n kid: string,\n cacheKey: string,\n endpoint: string,\n headers?: Record<string, string>\n ): Promise<crypto.KeyObject> {\n // Check cache first\n const cached = this.cache.get(cacheKey);\n if (cached && cached.expiresAt > Date.now()) {\n console.log(`[TokenVerifier] ✅ Using cached key for kid: ${kid}`);\n return cached.key;\n }\n\n console.log(`[TokenVerifier] 🔍 Cache miss or expired. Fetching new key for kid: ${kid}`);\n\n // Fetch JWK Set\n const jwkSet = await this.fetchJWKSet(endpoint, headers);\n\n // Find the key with matching kid\n const jwk = jwkSet.keys.find((k) => k.kid === kid);\n if (!jwk) {\n const availableKids = jwkSet.keys.map((k) => k.kid).join(', ');\n console.error(\n `[TokenVerifier] ❌ Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`\n );\n throw new Error(\n `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`\n );\n }\n\n console.log(`[TokenVerifier] ✅ Found key with kid: ${kid}`);\n\n // Convert JWK to KeyObject\n const keyObject = this.jwkToKeyObject(jwk);\n\n // Cache the key\n this.cache.set(cacheKey, {\n key: keyObject,\n kid,\n expiresAt: Date.now() + this.cacheTTL,\n });\n\n return keyObject;\n }\n\n /**\n * Verify JWT token using JWKs from runtime-api\n */\n async verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T> {\n const { url, secretKey, token, runtimeApiUrl } = options;\n\n if (!url && !secretKey) {\n throw new Error('Either url or secretKey must be provided');\n }\n\n if (url && secretKey) {\n throw new Error('Cannot provide both url and secretKey');\n }\n\n // Decode token header to get kid (without verification)\n const decoded = jwt.decode(token, { complete: true });\n if (!decoded || typeof decoded === 'string') {\n throw new Error('Invalid token format');\n }\n\n const header = decoded.header;\n if (!header.kid) {\n throw new Error('Token missing kid in header');\n }\n\n let endpoint: string;\n let cacheKey: string;\n let headers: Record<string, string> | undefined;\n\n if (secretKey) {\n // Use secretKey with runtimeApiUrl\n const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;\n endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;\n cacheKey = secretKey;\n headers = {\n 'x-api-key': secretKey,\n };\n console.log(\n `[TokenVerifier] 🔍 Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`\n );\n } else {\n // Use direct URL\n endpoint = url!;\n cacheKey = url!;\n console.log(\n `[TokenVerifier] 🔍 Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`\n );\n }\n\n // Get public key for this kid\n let publicKey: crypto.KeyObject;\n try {\n publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);\n console.log(`[TokenVerifier] ✅ Successfully retrieved public key for kid: ${header.kid}`);\n } catch (error) {\n console.error(\n `[TokenVerifier] ❌ Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`\n );\n // If verification fails, clear cache and retry once (handles key rotation)\n this.clearCache(cacheKey);\n console.log(`[TokenVerifier] 🔄 Retrying after cache clear...`);\n try {\n publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);\n console.log(\n `[TokenVerifier] ✅ Successfully retrieved public key for kid: ${header.kid} (retry)`\n );\n } catch (retryError) {\n console.error(\n `[TokenVerifier] ❌ Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`\n );\n throw retryError;\n }\n }\n\n // Verify token\n try {\n const payload = jwt.verify(token, publicKey, {\n algorithms: ['RS256'],\n }) as T;\n console.log(`[TokenVerifier] ✅ Token verified successfully`);\n return payload;\n } catch (error) {\n console.error(\n `[TokenVerifier] ❌ JWT verification failed: ${error instanceof Error ? error.message : String(error)}`\n );\n throw error;\n }\n }\n\n /**\n * Clear cache (useful for testing or key rotation)\n */\n clearCache(secretKeyOrUrl?: string): void {\n if (secretKeyOrUrl) {\n this.cache.delete(secretKeyOrUrl);\n } else {\n this.cache.clear();\n }\n }\n}\n\n/**\n * Convenience function to verify a token\n */\nexport async function verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T> {\n const verifier = new TokenVerifier();\n return verifier.verifyToken<T>(options);\n}\n","import { FetchClient, FetchError } from '@blimu/fetch';\nimport { type FetchClientConfig, type ApiKeyAuthStrategy } from '@blimu/fetch';\nimport { buildAuthStrategies } from './auth-strategies';\nimport { BulkResourcesService } from './services/bulk_resources';\nimport { BulkRolesService } from './services/bulk_roles';\nimport { EntitlementsService } from './services/entitlements';\nimport { PlansService } from './services/plans';\nimport { ResourceMembersService } from './services/resource_members';\nimport { ResourcesService } from './services/resources';\nimport { RolesService } from './services/roles';\nimport { UsageService } from './services/usage';\nimport { UsersService } from './services/users';\n\nexport type ClientOption = FetchClientConfig & {\n apiKey?: ApiKeyAuthStrategy['key'];\n};\n\nexport class Blimu {\n readonly bulkResources: BulkResourcesService;\n readonly bulkRoles: BulkRolesService;\n readonly entitlements: EntitlementsService;\n readonly plans: PlansService;\n readonly resourceMembers: ResourceMembersService;\n readonly resources: ResourcesService;\n readonly roles: RolesService;\n readonly usage: UsageService;\n readonly users: UsersService;\n\n constructor(options?: ClientOption) {\n const restCfg = { ...(options ?? {}) };\n delete restCfg.apiKey;\n\n const authStrategies = buildAuthStrategies(options ?? {});\n\n const core = new FetchClient({\n ...restCfg,\n baseURL: options?.baseURL ?? 'https://api.blimu.dev',\n ...(authStrategies.length > 0 ? { authStrategies } : {}),\n });\n\n this.bulkResources = new BulkResourcesService(core);\n this.bulkRoles = new BulkRolesService(core);\n this.entitlements = new EntitlementsService(core);\n this.plans = new PlansService(core);\n this.resourceMembers = new ResourceMembersService(core);\n this.resources = new ResourcesService(core);\n this.roles = new RolesService(core);\n this.usage = new UsageService(core);\n this.users = new UsersService(core);\n }\n}\n\n// Re-export FetchError for backward compatibility\nexport { FetchError };\nexport const BlimuError = FetchError;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,mBAAwC;AACxC,IAAAA,gBAAgE;;;ADAhE,aAAwB;AACxB,UAAqB;AAiCd,IAAM,gBAAN,MAAoB;AAAA,EACR,QAAQ,oBAAI,IAAuB;AAAA,EACnC;AAAA,EACA;AAAA,EAEjB,YAAY,SAAgC;AAC1C,SAAK,WAAW,SAAS,YAAY,KAAK,KAAK;AAE/C,SAAK,gBAAgB,SAAS,iBAAiB;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAY,UAAkB,SAAmD;AAC7F,YAAQ,IAAI,oDAA6C,QAAQ,EAAE;AACnE,QAAI,SAAS;AACX,cAAQ;AAAA,QACN,8CAAuC,KAAK,UAAU,OAAO,KAAK,OAAO,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,KAAK,MAAM,cAAc,QAAQ,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;AAAA,MAC3I;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,MAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,GAAG;AAAA,MACL;AAAA,IACF,CAAC;AAED,YAAQ,IAAI,8CAAuC,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAE3F,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAY,MAAM,SAAS,KAAK;AACtC,cAAQ,MAAM,gDAA2C,SAAS,MAAM,IAAI,SAAS,EAAE;AACvF,YAAM,IAAI,wBAAW,wBAAwB,SAAS,QAAQ,SAAS;AAAA,IACzE;AAEA,UAAM,SAAU,MAAM,SAAS,KAAK;AACpC,YAAQ,IAAI,4DAAuD,OAAO,KAAK,MAAM,OAAO;AAC5F,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,KAA4B;AACjD,WAAc,uBAAgB;AAAA,MAC5B,KAAK;AAAA,QACH,KAAK,IAAI;AAAA,QACT,GAAG,IAAI;AAAA,QACP,GAAG,IAAI;AAAA,QACP,KAAK,IAAI;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,aACZ,KACA,UACA,UACA,SAC2B;AAE3B,UAAM,SAAS,KAAK,MAAM,IAAI,QAAQ;AACtC,QAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,cAAQ,IAAI,oDAA+C,GAAG,EAAE;AAChE,aAAO,OAAO;AAAA,IAChB;AAEA,YAAQ,IAAI,8EAAuE,GAAG,EAAE;AAGxF,UAAM,SAAS,MAAM,KAAK,YAAY,UAAU,OAAO;AAGvD,UAAM,MAAM,OAAO,KAAK,KAAK,CAAC,MAAM,EAAE,QAAQ,GAAG;AACjD,QAAI,CAAC,KAAK;AACR,YAAM,gBAAgB,OAAO,KAAK,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,IAAI;AAC7D,cAAQ;AAAA,QACN,wCAAmC,GAAG,2CAA2C,aAAa;AAAA,MAChG;AACA,YAAM,IAAI;AAAA,QACR,iBAAiB,GAAG,2CAA2C,aAAa;AAAA,MAC9E;AAAA,IACF;AAEA,YAAQ,IAAI,8CAAyC,GAAG,EAAE;AAG1D,UAAM,YAAY,KAAK,eAAe,GAAG;AAGzC,SAAK,MAAM,IAAI,UAAU;AAAA,MACvB,KAAK;AAAA,MACL;AAAA,MACA,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,IAC/B,CAAC;AAED,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAyB,SAAyC;AACtE,UAAM,EAAE,KAAK,WAAW,OAAO,cAAc,IAAI;AAEjD,QAAI,CAAC,OAAO,CAAC,WAAW;AACtB,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,QAAI,OAAO,WAAW;AACpB,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAc,WAAO,OAAO,EAAE,UAAU,KAAK,CAAC;AACpD,QAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,UAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,OAAO,KAAK;AACf,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AAEA,QAAI;AACJ,QAAI;AACJ,QAAI;AAEJ,QAAI,WAAW;AAEb,YAAM,SAAS,iBAAiB,KAAK;AACrC,iBAAW,GAAG,MAAM;AACpB,iBAAW;AACX,gBAAU;AAAA,QACR,aAAa;AAAA,MACf;AACA,cAAQ;AAAA,QACN,uDAAgD,OAAO,GAAG,eAAe,QAAQ;AAAA,MACnF;AAAA,IACF,OAAO;AAEL,iBAAW;AACX,iBAAW;AACX,cAAQ;AAAA,QACN,uDAAgD,OAAO,GAAG,eAAe,QAAQ;AAAA,MACnF;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,kBAAY,MAAM,KAAK,aAAa,OAAO,KAAK,UAAU,UAAU,OAAO;AAC3E,cAAQ,IAAI,qEAAgE,OAAO,GAAG,EAAE;AAAA,IAC1F,SAAS,OAAO;AACd,cAAQ;AAAA,QACN,oEAA+D,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,MACvH;AAEA,WAAK,WAAW,QAAQ;AACxB,cAAQ,IAAI,yDAAkD;AAC9D,UAAI;AACF,oBAAY,MAAM,KAAK,aAAa,OAAO,KAAK,UAAU,UAAU,OAAO;AAC3E,gBAAQ;AAAA,UACN,qEAAgE,OAAO,GAAG;AAAA,QAC5E;AAAA,MACF,SAAS,YAAY;AACnB,gBAAQ;AAAA,UACN,4DAAuD,sBAAsB,QAAQ,WAAW,UAAU,OAAO,UAAU,CAAC;AAAA,QAC9H;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAGA,QAAI;AACF,YAAM,UAAc,WAAO,OAAO,WAAW;AAAA,QAC3C,YAAY,CAAC,OAAO;AAAA,MACtB,CAAC;AACD,cAAQ,IAAI,oDAA+C;AAC3D,aAAO;AAAA,IACT,SAAS,OAAO;AACd,cAAQ;AAAA,QACN,mDAA8C,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,MACtG;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,gBAA+B;AACxC,QAAI,gBAAgB;AAClB,WAAK,MAAM,OAAO,cAAc;AAAA,IAClC,OAAO;AACL,WAAK,MAAM,MAAM;AAAA,IACnB;AAAA,EACF;AACF;AAKA,eAAsB,YAAyB,SAAyC;AACtF,QAAM,WAAW,IAAI,cAAc;AACnC,SAAO,SAAS,YAAe,OAAO;AACxC;","names":["import_fetch"]}

package/dist/token-verifier.d.mts DELETED Viewed

@@ -1,35 +0,0 @@
-interface JWK {
-    kty: string;
-    use: string;
-    kid: string;
-    alg: string;
-    n: string;
-    e: string;
-}
-interface JWKSet {
-    keys: JWK[];
-}
-interface VerifyTokenOptions {
-    url?: string;
-    secretKey?: string;
-    token: string;
-    runtimeApiUrl?: string | undefined;
-}
-interface TokenVerifierOptions {
-    runtimeApiUrl?: string | undefined;
-    cacheTTL?: number | undefined;
-}
-declare class TokenVerifier {
-    private readonly cache;
-    private readonly cacheTTL;
-    private readonly runtimeApiUrl;
-    constructor(options?: TokenVerifierOptions);
-    private fetchJWKSet;
-    private jwkToKeyObject;
-    private getPublicKey;
-    verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
-    clearCache(secretKeyOrUrl?: string): void;
-}
-declare function verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
-export { type JWK, type JWKSet, TokenVerifier, type TokenVerifierOptions, type VerifyTokenOptions, verifyToken };

package/dist/token-verifier.d.ts DELETED Viewed

@@ -1,35 +0,0 @@
-interface JWK {
-    kty: string;
-    use: string;
-    kid: string;
-    alg: string;
-    n: string;
-    e: string;
-}
-interface JWKSet {
-    keys: JWK[];
-}
-interface VerifyTokenOptions {
-    url?: string;
-    secretKey?: string;
-    token: string;
-    runtimeApiUrl?: string | undefined;
-}
-interface TokenVerifierOptions {
-    runtimeApiUrl?: string | undefined;
-    cacheTTL?: number | undefined;
-}
-declare class TokenVerifier {
-    private readonly cache;
-    private readonly cacheTTL;
-    private readonly runtimeApiUrl;
-    constructor(options?: TokenVerifierOptions);
-    private fetchJWKSet;
-    private jwkToKeyObject;
-    private getPublicKey;
-    verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
-    clearCache(secretKeyOrUrl?: string): void;
-}
-declare function verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T>;
-export { type JWK, type JWKSet, TokenVerifier, type TokenVerifierOptions, type VerifyTokenOptions, verifyToken };

package/dist/token-verifier.mjs DELETED Viewed

@@ -1,180 +0,0 @@
-// src/client.ts
-import { FetchClient, FetchError } from "@blimu/fetch";
-import "@blimu/fetch";
-// src/token-verifier.ts
-import * as crypto from "crypto";
-import * as jwt from "jsonwebtoken";
-var TokenVerifier = class {
-  cache = /* @__PURE__ */ new Map();
-  cacheTTL;
-  runtimeApiUrl;
-  constructor(options) {
-    this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1e3;
-    this.runtimeApiUrl = options?.runtimeApiUrl ?? "https://api.blimu.dev";
-  }
-  /**
-   * Fetch JWK Set from runtime-api
-   */
-  async fetchJWKSet(endpoint, headers) {
-    console.log(`[TokenVerifier] \u{1F4E1} Fetching JWK Set from: ${endpoint}`);
-    if (headers) {
-      console.log(
-        `[TokenVerifier] \u{1F4E1} Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === "x-api-key" ? "***" : headers[k]}`))}`
-      );
-    }
-    const response = await fetch(endpoint, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-        ...headers
-      }
-    });
-    console.log(`[TokenVerifier] \u{1F4E1} Response status: ${response.status} ${response.statusText}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new FetchError("Failed to fetch JWKs", response.status, errorText);
-    }
-    const jwkSet = await response.json();
-    console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);
-    return jwkSet;
-  }
-  /**
-   * Convert JWK to KeyObject
-   */
-  jwkToKeyObject(jwk) {
-    return crypto.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e,
-        alg: jwk.alg
-      },
-      format: "jwk"
-    });
-  }
-  /**
-   * Get public key for a specific key ID
-   */
-  async getPublicKey(kid, cacheKey, endpoint, headers) {
-    const cached = this.cache.get(cacheKey);
-    if (cached && cached.expiresAt > Date.now()) {
-      console.log(`[TokenVerifier] \u2705 Using cached key for kid: ${kid}`);
-      return cached.key;
-    }
-    console.log(`[TokenVerifier] \u{1F50D} Cache miss or expired. Fetching new key for kid: ${kid}`);
-    const jwkSet = await this.fetchJWKSet(endpoint, headers);
-    const jwk = jwkSet.keys.find((k) => k.kid === kid);
-    if (!jwk) {
-      const availableKids = jwkSet.keys.map((k) => k.kid).join(", ");
-      console.error(
-        `[TokenVerifier] \u274C Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
-      throw new Error(
-        `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
-    }
-    console.log(`[TokenVerifier] \u2705 Found key with kid: ${kid}`);
-    const keyObject = this.jwkToKeyObject(jwk);
-    this.cache.set(cacheKey, {
-      key: keyObject,
-      kid,
-      expiresAt: Date.now() + this.cacheTTL
-    });
-    return keyObject;
-  }
-  /**
-   * Verify JWT token using JWKs from runtime-api
-   */
-  async verifyToken(options) {
-    const { url, secretKey, token, runtimeApiUrl } = options;
-    if (!url && !secretKey) {
-      throw new Error("Either url or secretKey must be provided");
-    }
-    if (url && secretKey) {
-      throw new Error("Cannot provide both url and secretKey");
-    }
-    const decoded = jwt.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
-      throw new Error("Invalid token format");
-    }
-    const header = decoded.header;
-    if (!header.kid) {
-      throw new Error("Token missing kid in header");
-    }
-    let endpoint;
-    let cacheKey;
-    let headers;
-    if (secretKey) {
-      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
-      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
-      cacheKey = secretKey;
-      headers = {
-        "x-api-key": secretKey
-      };
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
-    } else {
-      endpoint = url;
-      cacheKey = url;
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
-    }
-    let publicKey;
-    try {
-      publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-      console.log(`[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid}`);
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
-      );
-      this.clearCache(cacheKey);
-      console.log(`[TokenVerifier] \u{1F504} Retrying after cache clear...`);
-      try {
-        publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-        console.log(
-          `[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid} (retry)`
-        );
-      } catch (retryError) {
-        console.error(
-          `[TokenVerifier] \u274C Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
-        );
-        throw retryError;
-      }
-    }
-    try {
-      const payload = jwt.verify(token, publicKey, {
-        algorithms: ["RS256"]
-      });
-      console.log(`[TokenVerifier] \u2705 Token verified successfully`);
-      return payload;
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
-      );
-      throw error;
-    }
-  }
-  /**
-   * Clear cache (useful for testing or key rotation)
-   */
-  clearCache(secretKeyOrUrl) {
-    if (secretKeyOrUrl) {
-      this.cache.delete(secretKeyOrUrl);
-    } else {
-      this.cache.clear();
-    }
-  }
-};
-async function verifyToken(options) {
-  const verifier = new TokenVerifier();
-  return verifier.verifyToken(options);
-}
-export {
-  TokenVerifier,
-  verifyToken
-};
-//# sourceMappingURL=token-verifier.mjs.map

package/dist/token-verifier.mjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/client.ts","../src/token-verifier.ts"],"sourcesContent":["import { FetchClient, FetchError } from '@blimu/fetch';\nimport { type FetchClientConfig, type ApiKeyAuthStrategy } from '@blimu/fetch';\nimport { buildAuthStrategies } from './auth-strategies';\nimport { BulkResourcesService } from './services/bulk_resources';\nimport { BulkRolesService } from './services/bulk_roles';\nimport { EntitlementsService } from './services/entitlements';\nimport { PlansService } from './services/plans';\nimport { ResourceMembersService } from './services/resource_members';\nimport { ResourcesService } from './services/resources';\nimport { RolesService } from './services/roles';\nimport { UsageService } from './services/usage';\nimport { UsersService } from './services/users';\n\nexport type ClientOption = FetchClientConfig & {\n apiKey?: ApiKeyAuthStrategy['key'];\n};\n\nexport class Blimu {\n readonly bulkResources: BulkResourcesService;\n readonly bulkRoles: BulkRolesService;\n readonly entitlements: EntitlementsService;\n readonly plans: PlansService;\n readonly resourceMembers: ResourceMembersService;\n readonly resources: ResourcesService;\n readonly roles: RolesService;\n readonly usage: UsageService;\n readonly users: UsersService;\n\n constructor(options?: ClientOption) {\n const restCfg = { ...(options ?? {}) };\n delete restCfg.apiKey;\n\n const authStrategies = buildAuthStrategies(options ?? {});\n\n const core = new FetchClient({\n ...restCfg,\n baseURL: options?.baseURL ?? 'https://api.blimu.dev',\n ...(authStrategies.length > 0 ? { authStrategies } : {}),\n });\n\n this.bulkResources = new BulkResourcesService(core);\n this.bulkRoles = new BulkRolesService(core);\n this.entitlements = new EntitlementsService(core);\n this.plans = new PlansService(core);\n this.resourceMembers = new ResourceMembersService(core);\n this.resources = new ResourcesService(core);\n this.roles = new RolesService(core);\n this.usage = new UsageService(core);\n this.users = new UsersService(core);\n }\n}\n\n// Re-export FetchError for backward compatibility\nexport { FetchError };\nexport const BlimuError = FetchError;\n","import { FetchError } from './client';\nimport * as crypto from 'crypto';\nimport * as jwt from 'jsonwebtoken';\n\nexport interface JWK {\n kty: string;\n use: string;\n kid: string;\n alg: string;\n n: string;\n e: string;\n}\n\nexport interface JWKSet {\n keys: JWK[];\n}\n\ninterface CachedJWK {\n key: crypto.KeyObject;\n kid: string;\n expiresAt: number;\n}\n\nexport interface VerifyTokenOptions {\n url?: string; // Direct URL to JWK endpoint (for custom scenarios)\n secretKey?: string; // API key/secret key - uses runtimeApiUrl + JWK endpoint\n token: string;\n runtimeApiUrl?: string | undefined; // Optional override for runtime API URL\n}\n\nexport interface TokenVerifierOptions {\n runtimeApiUrl?: string | undefined;\n cacheTTL?: number | undefined; // Default: 1 hour\n}\n\nexport class TokenVerifier {\n private readonly cache = new Map<string, CachedJWK>();\n private readonly cacheTTL: number;\n private readonly runtimeApiUrl: string;\n\n constructor(options?: TokenVerifierOptions) {\n this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1000; // 1 hour\n\n this.runtimeApiUrl = options?.runtimeApiUrl ?? 'https://api.blimu.dev';\n }\n\n /**\n * Fetch JWK Set from runtime-api\n */\n private async fetchJWKSet(endpoint: string, headers?: Record<string, string>): Promise<JWKSet> {\n console.log(`[TokenVerifier] 📡 Fetching JWK Set from: ${endpoint}`);\n if (headers) {\n console.log(\n `[TokenVerifier] 📡 Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === 'x-api-key' ? '***' : headers[k]}`))}`\n );\n }\n\n const response = await fetch(endpoint, {\n method: 'GET',\n headers: {\n 'Content-Type': 'application/json',\n ...headers,\n },\n });\n\n console.log(`[TokenVerifier] 📡 Response status: ${response.status} ${response.statusText}`);\n\n if (!response.ok) {\n const errorText = await response.text();\n console.error(`[TokenVerifier] ❌ Failed to fetch JWKs: ${response.status} ${errorText}`);\n throw new FetchError('Failed to fetch JWKs', response.status, errorText);\n }\n\n const jwkSet = (await response.json()) as JWKSet;\n console.log(`[TokenVerifier] ✅ Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);\n return jwkSet;\n }\n\n /**\n * Convert JWK to KeyObject\n */\n private jwkToKeyObject(jwk: JWK): crypto.KeyObject {\n return crypto.createPublicKey({\n key: {\n kty: jwk.kty,\n n: jwk.n,\n e: jwk.e,\n alg: jwk.alg,\n },\n format: 'jwk',\n });\n }\n\n /**\n * Get public key for a specific key ID\n */\n private async getPublicKey(\n kid: string,\n cacheKey: string,\n endpoint: string,\n headers?: Record<string, string>\n ): Promise<crypto.KeyObject> {\n // Check cache first\n const cached = this.cache.get(cacheKey);\n if (cached && cached.expiresAt > Date.now()) {\n console.log(`[TokenVerifier] ✅ Using cached key for kid: ${kid}`);\n return cached.key;\n }\n\n console.log(`[TokenVerifier] 🔍 Cache miss or expired. Fetching new key for kid: ${kid}`);\n\n // Fetch JWK Set\n const jwkSet = await this.fetchJWKSet(endpoint, headers);\n\n // Find the key with matching kid\n const jwk = jwkSet.keys.find((k) => k.kid === kid);\n if (!jwk) {\n const availableKids = jwkSet.keys.map((k) => k.kid).join(', ');\n console.error(\n `[TokenVerifier] ❌ Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`\n );\n throw new Error(\n `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`\n );\n }\n\n console.log(`[TokenVerifier] ✅ Found key with kid: ${kid}`);\n\n // Convert JWK to KeyObject\n const keyObject = this.jwkToKeyObject(jwk);\n\n // Cache the key\n this.cache.set(cacheKey, {\n key: keyObject,\n kid,\n expiresAt: Date.now() + this.cacheTTL,\n });\n\n return keyObject;\n }\n\n /**\n * Verify JWT token using JWKs from runtime-api\n */\n async verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T> {\n const { url, secretKey, token, runtimeApiUrl } = options;\n\n if (!url && !secretKey) {\n throw new Error('Either url or secretKey must be provided');\n }\n\n if (url && secretKey) {\n throw new Error('Cannot provide both url and secretKey');\n }\n\n // Decode token header to get kid (without verification)\n const decoded = jwt.decode(token, { complete: true });\n if (!decoded || typeof decoded === 'string') {\n throw new Error('Invalid token format');\n }\n\n const header = decoded.header;\n if (!header.kid) {\n throw new Error('Token missing kid in header');\n }\n\n let endpoint: string;\n let cacheKey: string;\n let headers: Record<string, string> | undefined;\n\n if (secretKey) {\n // Use secretKey with runtimeApiUrl\n const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;\n endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;\n cacheKey = secretKey;\n headers = {\n 'x-api-key': secretKey,\n };\n console.log(\n `[TokenVerifier] 🔍 Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`\n );\n } else {\n // Use direct URL\n endpoint = url!;\n cacheKey = url!;\n console.log(\n `[TokenVerifier] 🔍 Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`\n );\n }\n\n // Get public key for this kid\n let publicKey: crypto.KeyObject;\n try {\n publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);\n console.log(`[TokenVerifier] ✅ Successfully retrieved public key for kid: ${header.kid}`);\n } catch (error) {\n console.error(\n `[TokenVerifier] ❌ Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`\n );\n // If verification fails, clear cache and retry once (handles key rotation)\n this.clearCache(cacheKey);\n console.log(`[TokenVerifier] 🔄 Retrying after cache clear...`);\n try {\n publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);\n console.log(\n `[TokenVerifier] ✅ Successfully retrieved public key for kid: ${header.kid} (retry)`\n );\n } catch (retryError) {\n console.error(\n `[TokenVerifier] ❌ Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`\n );\n throw retryError;\n }\n }\n\n // Verify token\n try {\n const payload = jwt.verify(token, publicKey, {\n algorithms: ['RS256'],\n }) as T;\n console.log(`[TokenVerifier] ✅ Token verified successfully`);\n return payload;\n } catch (error) {\n console.error(\n `[TokenVerifier] ❌ JWT verification failed: ${error instanceof Error ? error.message : String(error)}`\n );\n throw error;\n }\n }\n\n /**\n * Clear cache (useful for testing or key rotation)\n */\n clearCache(secretKeyOrUrl?: string): void {\n if (secretKeyOrUrl) {\n this.cache.delete(secretKeyOrUrl);\n } else {\n this.cache.clear();\n }\n }\n}\n\n/**\n * Convenience function to verify a token\n */\nexport async function verifyToken<T = unknown>(options: VerifyTokenOptions): Promise<T> {\n const verifier = new TokenVerifier();\n return verifier.verifyToken<T>(options);\n}\n"],"mappings":";AAAA,SAAS,aAAa,kBAAkB;AACxC,OAAgE;;;ACAhE,YAAY,YAAY;AACxB,YAAY,SAAS;AAiCd,IAAM,gBAAN,MAAoB;AAAA,EACR,QAAQ,oBAAI,IAAuB;AAAA,EACnC;AAAA,EACA;AAAA,EAEjB,YAAY,SAAgC;AAC1C,SAAK,WAAW,SAAS,YAAY,KAAK,KAAK;AAE/C,SAAK,gBAAgB,SAAS,iBAAiB;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAY,UAAkB,SAAmD;AAC7F,YAAQ,IAAI,oDAA6C,QAAQ,EAAE;AACnE,QAAI,SAAS;AACX,cAAQ;AAAA,QACN,8CAAuC,KAAK,UAAU,OAAO,KAAK,OAAO,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,KAAK,MAAM,cAAc,QAAQ,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;AAAA,MAC3I;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,MAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,GAAG;AAAA,MACL;AAAA,IACF,CAAC;AAED,YAAQ,IAAI,8CAAuC,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAE3F,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAY,MAAM,SAAS,KAAK;AACtC,cAAQ,MAAM,gDAA2C,SAAS,MAAM,IAAI,SAAS,EAAE;AACvF,YAAM,IAAI,WAAW,wBAAwB,SAAS,QAAQ,SAAS;AAAA,IACzE;AAEA,UAAM,SAAU,MAAM,SAAS,KAAK;AACpC,YAAQ,IAAI,4DAAuD,OAAO,KAAK,MAAM,OAAO;AAC5F,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,KAA4B;AACjD,WAAc,uBAAgB;AAAA,MAC5B,KAAK;AAAA,QACH,KAAK,IAAI;AAAA,QACT,GAAG,IAAI;AAAA,QACP,GAAG,IAAI;AAAA,QACP,KAAK,IAAI;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,aACZ,KACA,UACA,UACA,SAC2B;AAE3B,UAAM,SAAS,KAAK,MAAM,IAAI,QAAQ;AACtC,QAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,cAAQ,IAAI,oDAA+C,GAAG,EAAE;AAChE,aAAO,OAAO;AAAA,IAChB;AAEA,YAAQ,IAAI,8EAAuE,GAAG,EAAE;AAGxF,UAAM,SAAS,MAAM,KAAK,YAAY,UAAU,OAAO;AAGvD,UAAM,MAAM,OAAO,KAAK,KAAK,CAAC,MAAM,EAAE,QAAQ,GAAG;AACjD,QAAI,CAAC,KAAK;AACR,YAAM,gBAAgB,OAAO,KAAK,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,IAAI;AAC7D,cAAQ;AAAA,QACN,wCAAmC,GAAG,2CAA2C,aAAa;AAAA,MAChG;AACA,YAAM,IAAI;AAAA,QACR,iBAAiB,GAAG,2CAA2C,aAAa;AAAA,MAC9E;AAAA,IACF;AAEA,YAAQ,IAAI,8CAAyC,GAAG,EAAE;AAG1D,UAAM,YAAY,KAAK,eAAe,GAAG;AAGzC,SAAK,MAAM,IAAI,UAAU;AAAA,MACvB,KAAK;AAAA,MACL;AAAA,MACA,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,IAC/B,CAAC;AAED,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAyB,SAAyC;AACtE,UAAM,EAAE,KAAK,WAAW,OAAO,cAAc,IAAI;AAEjD,QAAI,CAAC,OAAO,CAAC,WAAW;AACtB,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,QAAI,OAAO,WAAW;AACpB,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAc,WAAO,OAAO,EAAE,UAAU,KAAK,CAAC;AACpD,QAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,UAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,OAAO,KAAK;AACf,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AAEA,QAAI;AACJ,QAAI;AACJ,QAAI;AAEJ,QAAI,WAAW;AAEb,YAAM,SAAS,iBAAiB,KAAK;AACrC,iBAAW,GAAG,MAAM;AACpB,iBAAW;AACX,gBAAU;AAAA,QACR,aAAa;AAAA,MACf;AACA,cAAQ;AAAA,QACN,uDAAgD,OAAO,GAAG,eAAe,QAAQ;AAAA,MACnF;AAAA,IACF,OAAO;AAEL,iBAAW;AACX,iBAAW;AACX,cAAQ;AAAA,QACN,uDAAgD,OAAO,GAAG,eAAe,QAAQ;AAAA,MACnF;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,kBAAY,MAAM,KAAK,aAAa,OAAO,KAAK,UAAU,UAAU,OAAO;AAC3E,cAAQ,IAAI,qEAAgE,OAAO,GAAG,EAAE;AAAA,IAC1F,SAAS,OAAO;AACd,cAAQ;AAAA,QACN,oEAA+D,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,MACvH;AAEA,WAAK,WAAW,QAAQ;AACxB,cAAQ,IAAI,yDAAkD;AAC9D,UAAI;AACF,oBAAY,MAAM,KAAK,aAAa,OAAO,KAAK,UAAU,UAAU,OAAO;AAC3E,gBAAQ;AAAA,UACN,qEAAgE,OAAO,GAAG;AAAA,QAC5E;AAAA,MACF,SAAS,YAAY;AACnB,gBAAQ;AAAA,UACN,4DAAuD,sBAAsB,QAAQ,WAAW,UAAU,OAAO,UAAU,CAAC;AAAA,QAC9H;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAGA,QAAI;AACF,YAAM,UAAc,WAAO,OAAO,WAAW;AAAA,QAC3C,YAAY,CAAC,OAAO;AAAA,MACtB,CAAC;AACD,cAAQ,IAAI,oDAA+C;AAC3D,aAAO;AAAA,IACT,SAAS,OAAO;AACd,cAAQ;AAAA,QACN,mDAA8C,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,MACtG;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,gBAA+B;AACxC,QAAI,gBAAgB;AAClB,WAAK,MAAM,OAAO,cAAc;AAAA,IAClC,OAAO;AACL,WAAK,MAAM,MAAM;AAAA,IACnB;AAAA,EACF;AACF;AAKA,eAAsB,YAAyB,SAAyC;AACtF,QAAM,WAAW,IAAI,cAAc;AACnC,SAAO,SAAS,YAAe,OAAO;AACxC;","names":[]}