@blimu/backend 1.2.1 → 1.2.2

package/dist/index.cjs

@@ -31,6 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AuthJwksService: () => AuthJwksService,
   Blimu: () => Blimu,
   BlimuError: () => BlimuError,
   BulkResourcesService: () => BulkResourcesService,
@@ -51,6 +52,7 @@ __export(index_exports, {
   paginate: () => paginate,
   parseNDJSONStream: () => import_fetch3.parseNDJSONStream,
   parseSSEStream: () => import_fetch3.parseSSEStream,
+  verifyOAuthToken: () => verifyOAuthToken,
   verifyToken: () => verifyToken
 });
 module.exports = __toCommonJS(index_exports);
@@ -73,6 +75,47 @@ function buildAuthStrategies(cfg) {
   return authStrategies;
 }
 
+// src/services/auth_jwks.ts
+var AuthJwksService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/auth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for environment (Public)*
+   * @description Returns the public keys used to verify JWT tokens issued by this environment. Authenticate using either x-api-key header (secretKey) or x-blimu-publishable-key header (publishableKey).*/
+  getJwks(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/jwks.json`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/.well-known/public-key.pem*
+   * @summary Get environment public key (PEM)*
+   * @description Returns the public key in PEM format for verifying JWT tokens. Authenticate with x-api-key or x-blimu-publishable-key.*/
+  getPublicKeyPem(init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/.well-known/public-key.pem`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/auth/oauth/.well-known/jwks.json*
+   * @summary Get JSON Web Key Set for OAuth app (Public)*
+   * @description Returns the public key for a specific OAuth app to verify JWT tokens. This is a public endpoint following OAuth2/OIDC standards. Provide client_id to get keys for a specific OAuth app, or use authenticated endpoint for environment keys.*/
+  getOAuthAppJwks(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/auth/oauth/.well-known/jwks.json`,
+      query,
+      ...init ?? {}
+    });
+  }
+};
+
 // src/services/bulk_resources.ts
 var BulkResourcesService = class {
   constructor(core) {
@@ -580,6 +623,7 @@ var UsersService = class {
 
 // src/client.ts
 var Blimu = class {
+  authJwks;
   bulkResources;
   bulkRoles;
   entitlements;
@@ -599,6 +643,7 @@ var Blimu = class {
       baseURL: options?.baseURL ?? "https://api.blimu.dev",
       ...authStrategies.length > 0 ? { authStrategies } : {}
     });
+    this.authJwks = new AuthJwksService(core);
     this.bulkResources = new BulkResourcesService(core);
     this.bulkRoles = new BulkRolesService(core);
     this.entitlements = new EntitlementsService(core);
@@ -649,6 +694,7 @@ var schema_exports = {};
 // src/schema.zod.ts
 var schema_zod_exports = {};
 __export(schema_zod_exports, {
+  AuthJwksGetOAuthAppJwksQuerySchema: () => AuthJwksGetOAuthAppJwksQuerySchema,
   AuthorizeRequestSchema: () => AuthorizeRequestSchema,
   BalanceResponseSchema: () => BalanceResponseSchema,
   CheckLimitResponseSchema: () => CheckLimitResponseSchema,
@@ -667,6 +713,7 @@ __export(schema_zod_exports, {
   EntitlementsListResultSchema: () => EntitlementsListResultSchema,
   IntrospectionRequestSchema: () => IntrospectionRequestSchema,
   IntrospectionResponseSchema: () => IntrospectionResponseSchema,
+  JWKSchema: () => JWKSchema,
   OauthCheckConsentRequiredQuerySchema: () => OauthCheckConsentRequiredQuerySchema,
   PlanAssignBodySchema: () => PlanAssignBodySchema,
   PlanDeleteResponseSchema: () => PlanDeleteResponseSchema,
@@ -832,6 +879,16 @@ var IntrospectionResponseSchema = import_zod.z.object({
   /** Username or user ID */
   username: import_zod.z.string().optional()
 });
+var JWKSchema = import_zod.z.object({
+  keys: import_zod.z.object({
+    alg: import_zod.z.string(),
+    e: import_zod.z.string(),
+    kid: import_zod.z.string(),
+    kty: import_zod.z.string(),
+    n: import_zod.z.string(),
+    use: import_zod.z.string()
+  }).array()
+});
 var PlanDeleteResponseSchema = import_zod.z.object({ success: import_zod.z.boolean() });
 var ResourceMemberListSchema = import_zod.z.object({
   items: import_zod.z.object({
@@ -1189,6 +1246,10 @@ var ResourceListSchema = import_zod.z.object({
   page: import_zod.z.number(),
   total: import_zod.z.number()
 });
+var AuthJwksGetOAuthAppJwksQuerySchema = import_zod.z.object({
+  /** OAuth app client ID to get public keys for */
+  client_id: import_zod.z.string().optional()
+});
 var EntitlementsListForResourceQuerySchema = import_zod.z.object({
   /** The unique identifier of the user */
   userId: import_zod.z.string()
@@ -1257,40 +1318,14 @@ var UsersListQuerySchema = import_zod.z.object({
 // src/token-verifier.ts
 var crypto = __toESM(require("crypto"));
 var jwt = __toESM(require("jsonwebtoken"));
+var import_fetch4 = require("@blimu/fetch");
 var TokenVerifier = class {
   cache = /* @__PURE__ */ new Map();
   cacheTTL;
-  runtimeApiUrl;
+  baseURL;
   constructor(options) {
     this.cacheTTL = options?.cacheTTL ?? 60 * 60 * 1e3;
-    this.runtimeApiUrl = options?.runtimeApiUrl ?? "https://api.blimu.dev";
-  }
-  /**
-   * Fetch JWK Set from runtime-api
-   */
-  async fetchJWKSet(endpoint, headers) {
-    console.log(`[TokenVerifier] \u{1F4E1} Fetching JWK Set from: ${endpoint}`);
-    if (headers) {
-      console.log(
-        `[TokenVerifier] \u{1F4E1} Request headers: ${JSON.stringify(Object.keys(headers).map((k) => `${k}: ${k === "x-api-key" ? "***" : headers[k]}`))}`
-      );
-    }
-    const response = await fetch(endpoint, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-        ...headers
-      }
-    });
-    console.log(`[TokenVerifier] \u{1F4E1} Response status: ${response.status} ${response.statusText}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new import_fetch.FetchError("Failed to fetch JWKs", response.status, errorText);
-    }
-    const jwkSet = await response.json();
-    console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);
-    return jwkSet;
+    this.baseURL = options?.runtimeApiUrl ?? "https://api.blimu.dev";
   }
   /**
    * Convert JWK to KeyObject
@@ -1309,25 +1344,19 @@ var TokenVerifier = class {
   /**
    * Get public key for a specific key ID
    */
-  async getPublicKey(kid, cacheKey, endpoint, headers) {
+  async getPublicKey(kid, cacheKey, fetchJwks) {
     const cached = this.cache.get(cacheKey);
     if (cached && cached.expiresAt > Date.now()) {
-      console.log(`[TokenVerifier] \u2705 Using cached key for kid: ${kid}`);
       return cached.key;
     }
-    console.log(`[TokenVerifier] \u{1F50D} Cache miss or expired. Fetching new key for kid: ${kid}`);
-    const jwkSet = await this.fetchJWKSet(endpoint, headers);
+    const jwkSet = await fetchJwks();
     const jwk = jwkSet.keys.find((k) => k.kid === kid);
     if (!jwk) {
       const availableKids = jwkSet.keys.map((k) => k.kid).join(", ");
-      console.error(
-        `[TokenVerifier] \u274C Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
-      );
       throw new Error(
         `Key with kid '${kid}' not found in JWK Set. Available kids: ${availableKids}`
       );
     }
-    console.log(`[TokenVerifier] \u2705 Found key with kid: ${kid}`);
     const keyObject = this.jwkToKeyObject(jwk);
     this.cache.set(cacheKey, {
       key: keyObject,
@@ -1337,15 +1366,16 @@ var TokenVerifier = class {
     return keyObject;
   }
   /**
-   * Verify JWT token using JWKs from runtime-api
+   * Verify JWT token using JWKs from Blimu runtime API.
+   * Supports: environment/session tokens (secretKey) or OAuth app tokens (clientId).
    */
   async verifyToken(options) {
-    const { url, secretKey, token, runtimeApiUrl } = options;
-    if (!url && !secretKey) {
-      throw new Error("Either url or secretKey must be provided");
-    }
-    if (url && secretKey) {
-      throw new Error("Cannot provide both url and secretKey");
+    const { secretKey, clientId, token, runtimeApiUrl } = options;
+    const provided = [secretKey, clientId].filter(Boolean);
+    if (provided.length !== 1) {
+      throw new Error(
+        "Exactly one of secretKey or clientId must be provided. Use secretKey for environment/session tokens, clientId for OAuth app access tokens."
+      );
     }
     const decoded = jwt.decode(token, { complete: true });
     if (!decoded || typeof decoded === "string") {
@@ -1355,67 +1385,38 @@ var TokenVerifier = class {
     if (!header.kid) {
       throw new Error("Token missing kid in header");
     }
-    let endpoint;
+    const baseURL = runtimeApiUrl ?? this.baseURL;
     let cacheKey;
-    let headers;
+    let fetchJwks;
     if (secretKey) {
-      const apiUrl = runtimeApiUrl ?? this.runtimeApiUrl;
-      endpoint = `${apiUrl}/v1/auth/.well-known/jwks.json`;
       cacheKey = secretKey;
-      headers = {
-        "x-api-key": secretKey
-      };
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      const core = new import_fetch4.FetchClient({
+        baseURL,
+        authStrategies: buildAuthStrategies({ apiKey: secretKey, baseURL })
+      });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getJwks();
     } else {
-      endpoint = url;
-      cacheKey = url;
-      console.log(
-        `[TokenVerifier] \u{1F50D} Verifying token with kid: ${header.kid}, endpoint: ${endpoint}`
-      );
+      cacheKey = `oauth:${clientId}`;
+      const core = new import_fetch4.FetchClient({ baseURL });
+      const authJwks = new AuthJwksService(core);
+      fetchJwks = () => authJwks.getOAuthAppJwks({ client_id: clientId });
     }
     let publicKey;
     try {
-      publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-      console.log(`[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid}`);
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C Failed to get public key (first attempt): ${error instanceof Error ? error.message : String(error)}`
-      );
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
+    } catch {
       this.clearCache(cacheKey);
-      console.log(`[TokenVerifier] \u{1F504} Retrying after cache clear...`);
-      try {
-        publicKey = await this.getPublicKey(header.kid, cacheKey, endpoint, headers);
-        console.log(
-          `[TokenVerifier] \u2705 Successfully retrieved public key for kid: ${header.kid} (retry)`
-        );
-      } catch (retryError) {
-        console.error(
-          `[TokenVerifier] \u274C Failed to get public key (retry): ${retryError instanceof Error ? retryError.message : String(retryError)}`
-        );
-        throw retryError;
-      }
-    }
-    try {
-      const payload = jwt.verify(token, publicKey, {
-        algorithms: ["RS256"]
-      });
-      console.log(`[TokenVerifier] \u2705 Token verified successfully`);
-      return payload;
-    } catch (error) {
-      console.error(
-        `[TokenVerifier] \u274C JWT verification failed: ${error instanceof Error ? error.message : String(error)}`
-      );
-      throw error;
+      publicKey = await this.getPublicKey(header.kid, cacheKey, fetchJwks);
     }
+    return jwt.verify(token, publicKey, { algorithms: ["RS256"] });
   }
   /**
    * Clear cache (useful for testing or key rotation)
    */
-  clearCache(secretKeyOrUrl) {
-    if (secretKeyOrUrl) {
-      this.cache.delete(secretKeyOrUrl);
+  clearCache(cacheKey) {
+    if (cacheKey) {
+      this.cache.delete(cacheKey);
     } else {
       this.cache.clear();
     }
@@ -1425,8 +1426,15 @@ async function verifyToken(options) {
   const verifier = new TokenVerifier();
   return verifier.verifyToken(options);
 }
+async function verifyOAuthToken(options) {
+  return verifyToken({
+    ...options,
+    clientId: options.clientId
+  });
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AuthJwksService,
   Blimu,
   BlimuError,
   BulkResourcesService,
@@ -1447,6 +1455,7 @@ async function verifyToken(options) {
   paginate,
   parseNDJSONStream,
   parseSSEStream,
+  verifyOAuthToken,
   verifyToken,
   ...require("@blimu/fetch")
 });