npm - @canton-network/core-wallet-auth - Versions diffs - 0.10.0 → 0.11.0 - Mend

@canton-network/core-wallet-auth 0.10.0 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/auth-service.d.ts +28 -3
package/dist/auth-service.d.ts.map +1 -1
package/dist/auth-token-provider-self-signed.d.ts +13 -0
package/dist/auth-token-provider-self-signed.d.ts.map +1 -0
package/dist/auth-token-provider.d.ts +11 -0
package/dist/auth-token-provider.d.ts.map +1 -0
package/dist/client-credentials-service.d.ts +1 -9
package/dist/client-credentials-service.d.ts.map +1 -1
package/dist/config/schema.d.ts +378 -0
package/dist/config/schema.d.ts.map +1 -0
package/dist/index.cjs +254 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +247 -5
package/dist/index.js.map +1 -0
package/package.json +19 -7
package/dist/auth-service.js +0 -3
package/dist/auth-utils.js +0 -11
package/dist/client-credentials-service.js +0 -64
package/dist/client-credentials.service.test.d.ts +0 -2
package/dist/client-credentials.service.test.d.ts.map +0 -1
package/dist/client-credentials.service.test.js +0 -55

package/dist/auth-service.d.ts CHANGED Viewed

@@ -1,13 +1,38 @@
 export type UserId = string;
+/**
+ * Authentication context containing user ID and access token
+ */
 export interface AuthContext {
     userId: UserId;
     accessToken: string;
 }
-export interface AuthService {
-    verifyToken(accessToken?: string): Promise<AuthContext | undefined>;
-}
+/**
+ * Interface for types that are aware of authentication context
+ */
 export interface AuthAware<T> {
     authContext: AuthContext | undefined;
     withAuthContext: (context?: AuthContext) => T;
 }
+/**
+ * Interface for verifying access tokens
+ */
+export interface AuthService {
+    verifyToken(accessToken?: string): Promise<AuthContext | undefined>;
+}
+/**
+ * Interface for providing access tokens used to authenticate requests
+ */
+export interface AccessTokenProvider {
+    getUserAccessToken(): Promise<string>;
+    getAdminAccessToken(): Promise<string>;
+}
+export interface OIDCConfig {
+    token_endpoint: string;
+}
+export interface ClientCredentials {
+    clientId: string;
+    clientSecret: string;
+    scope: string | undefined;
+    audience: string | undefined;
+}
 //# sourceMappingURL=auth-service.d.ts.map

package/dist/auth-service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../src/auth-service.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,MAAM,GAAG,MAAM,CAAA;AAE3B,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;CACtB;AAED,MAAM,WAAW,WAAW;IACxB,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAAA;CACtE;AAED,MAAM,WAAW,~~SAAS~~,CAAC,CAAC;~~IACxB~~,WAAW,EAAE,WAAW,~~GAAG~~,~~SAAS~~,CAAA;~~IACpC~~,~~eAAe~~,EAAE,~~CAAC~~,~~OAAO~~,~~CAAC~~,EAAE,~~WAAW~~,~~KAAK~~,~~CAAC~~,CAAA;~~CAChD~~"}
1	+ {"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../src/auth-service.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,MAAM,GAAG,MAAM,CAAA;AAE3B;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC;IACxB,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;IACpC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE,WAAW,KAAK,CAAC,CAAA;CAChD;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAAA;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IACrC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,UAAU;IACvB,cAAc,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,iBAAiB;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;IACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC/B"}

package/dist/auth-token-provider-self-signed.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { Logger } from '@canton-network/core-types';
+import { AccessTokenProvider, ClientCredentials } from './auth-service.js';
+import { SelfSignedAuth } from './config/schema.js';
+export declare class AuthTokenProviderSelfSigned implements AccessTokenProvider {
+    private auth;
+    private logger;
+    private expirySeconds;
+    constructor(auth: SelfSignedAuth, logger: Logger, expirySeconds?: number);
+    getUserAccessToken(): Promise<string>;
+    getAdminAccessToken(): Promise<string>;
+    static fetchToken(logger: Logger, credentials: ClientCredentials, issuer: string, expirySeconds?: number): Promise<string>;
+}
+//# sourceMappingURL=auth-token-provider-self-signed.d.ts.map

package/dist/auth-token-provider-self-signed.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-token-provider-self-signed.d.ts","sourceRoot":"","sources":["../src/auth-token-provider-self-signed.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGnD,qBAAa,2BAA4B,YAAW,mBAAmB;IAE/D,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,aAAa;gBAFb,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa;IAGlC,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAerC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;WAkB/B,UAAU,CACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,iBAAiB,EAC9B,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa,GAC7B,OAAO,CAAC,MAAM,CAAC;CAgBrB"}

package/dist/auth-token-provider.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { Logger } from '@canton-network/core-types';
+import { AccessTokenProvider } from './auth-service.js';
+import { Auth } from './config/schema.js';
+export declare class AuthTokenProvider implements AccessTokenProvider {
+    private auth;
+    private logger;
+    constructor(auth: Auth, logger: Logger);
+    getUserAccessToken(): Promise<string>;
+    getAdminAccessToken(): Promise<string>;
+}
+//# sourceMappingURL=auth-token-provider.d.ts.map

package/dist/auth-token-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAIzC,qBAAa,iBAAkB,YAAW,mBAAmB;IAErD,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,MAAM;gBADN,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM;IAGpB,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAwBrC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;CAuB/C"}

package/dist/client-credentials-service.d.ts CHANGED Viewed

@@ -1,13 +1,5 @@
 import { Logger } from '@canton-network/core-types';
-export interface OIDCConfig {
-    token_endpoint: string;
-}
-export interface ClientCredentials {
-    clientId: string;
-    clientSecret: string;
-    scope: string | undefined;
-    audience: string | undefined;
-}
+import { ClientCredentials, OIDCConfig } from './auth-service.js';
 export declare class ClientCredentialsService {
     private configUrl;
     private logger;

package/dist/client-credentials-service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client-credentials-service.d.ts","sourceRoot":"","sources":["../src/client-credentials-service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;~~AAEnD~~,~~MAAM~~,~~WAAW,UAAU;IACvB,cAAc,~~EAAE,~~MAAM,CAAA;CACzB;AAED,MAAM,WAAW,~~iBAAiB~~;IAC9B~~,~~QAAQ,~~EAAE,~~MAAM~~,~~CAAA;IAChB,YAAY,~~EAAE,MAAM,~~CAAA;IACpB~~,~~KAAK,EAAE,MAAM,GAAG,SAAS,~~CAAA;~~IACzB~~,~~QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC/B;AAED,~~qBAAa,wBAAwB;IAE7B,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,MAAM;gBADN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GAAG,SAAS;IAGtC;;;;;OAKG;IACG,UAAU,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IA2B3D,kBAAkB,CACpB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,iBAAiB,GAC/B,OAAO,CAAC,QAAQ,CAAC;IA4Bd,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAcxD;AAED,eAAO,MAAM,wBAAwB,GACjC,WAAW,MAAM,EACjB,QAAQ,MAAM,GAAG,SAAS;8BAEM,iBAAiB;CAEnD,CAAA"}
1	+ {"version":3,"file":"client-credentials-service.d.ts","sourceRoot":"","sources":["../src/client-credentials-service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAEjE,qBAAa,wBAAwB;IAE7B,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,MAAM;gBADN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GAAG,SAAS;IAGtC;;;;;OAKG;IACG,UAAU,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IA2B3D,kBAAkB,CACpB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,iBAAiB,GAC/B,OAAO,CAAC,QAAQ,CAAC;IA4Bd,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAcxD;AAED,eAAO,MAAM,wBAAwB,GACjC,WAAW,MAAM,EACjB,QAAQ,MAAM,GAAG,SAAS;8BAEM,iBAAiB;CAEnD,CAAA"}

package/dist/config/schema.d.ts ADDED Viewed

@@ -0,0 +1,378 @@
+import { z } from 'zod';
+declare const credentials: z.ZodObject<{
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    clientSecret: string;
+}, {
+    clientId: string;
+    clientSecret: string;
+}>;
+declare const passwordAuthSchema: z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"password">;
+    issuer: z.ZodString;
+    configUrl: z.ZodString;
+    audience: z.ZodString;
+    tokenUrl: z.ZodString;
+    grantType: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    type: "password";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    tokenUrl: string;
+    grantType: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    type: "password";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    tokenUrl: string;
+    grantType: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>;
+declare const implicitAuthSchema: z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"implicit">;
+    issuer: z.ZodString;
+    configUrl: z.ZodString;
+    audience: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    type: "implicit";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    type: "implicit";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>;
+declare const clientCredentialAuthSchema: z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"client_credentials">;
+    issuer: z.ZodString;
+    configUrl: z.ZodString;
+    audience: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    clientSecret: string;
+    type: "client_credentials";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    clientSecret: string;
+    type: "client_credentials";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>;
+declare const selfSignedAuthSchema: z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"self_signed">;
+    issuer: z.ZodString;
+    audience: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    clientSecret: string;
+    type: "self_signed";
+    identityProviderId: string;
+    issuer: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    clientSecret: string;
+    type: "self_signed";
+    identityProviderId: string;
+    issuer: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>;
+export declare const authSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"password">;
+    issuer: z.ZodString;
+    configUrl: z.ZodString;
+    audience: z.ZodString;
+    tokenUrl: z.ZodString;
+    grantType: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    type: "password";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    tokenUrl: string;
+    grantType: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    type: "password";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    tokenUrl: string;
+    grantType: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>, z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"implicit">;
+    issuer: z.ZodString;
+    configUrl: z.ZodString;
+    audience: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    type: "implicit";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    type: "implicit";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>, z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"client_credentials">;
+    issuer: z.ZodString;
+    configUrl: z.ZodString;
+    audience: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    clientSecret: string;
+    type: "client_credentials";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    clientSecret: string;
+    type: "client_credentials";
+    identityProviderId: string;
+    issuer: string;
+    configUrl: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>, z.ZodObject<{
+    identityProviderId: z.ZodString;
+    type: z.ZodLiteral<"self_signed">;
+    issuer: z.ZodString;
+    audience: z.ZodString;
+    scope: z.ZodString;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    admin: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        clientSecret: string;
+    }, {
+        clientId: string;
+        clientSecret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    clientSecret: string;
+    type: "self_signed";
+    identityProviderId: string;
+    issuer: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}, {
+    clientId: string;
+    clientSecret: string;
+    type: "self_signed";
+    identityProviderId: string;
+    issuer: string;
+    audience: string;
+    scope: string;
+    admin?: {
+        clientId: string;
+        clientSecret: string;
+    } | undefined;
+}>]>;
+export type Auth = z.infer<typeof authSchema>;
+export type ImplicitAuth = z.infer<typeof implicitAuthSchema>;
+export type PasswordAuth = z.infer<typeof passwordAuthSchema>;
+export type Credentials = z.infer<typeof credentials>;
+export type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>;
+export type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>;
+export {};
+//# sourceMappingURL=schema.d.ts.map

package/dist/config/schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,WAAW;;;;;;;;;EAGf,CAAA;AAEF,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWtB,CAAA;AAEF,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAStB,CAAA;AAEF,QAAA,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU9B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASxB,CAAA;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAKrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AACrD,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAC7E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,254 @@
+'use strict';
+var coreRpcErrors = require('@canton-network/core-rpc-errors');
+var zod = require('zod');
+var jose = require('jose');
+// src/client-credentials-service.ts
+var ClientCredentialsService = class {
+  constructor(configUrl, logger) {
+    this.configUrl = configUrl;
+    this.logger = logger;
+  }
+  /**
+   * Fetches the JWT token (M2M) using client credentials.
+   *
+   * @returns The JWT access token as a string.
+   * @throws If fetching the token fails or the response is invalid.
+   */
+  async fetchToken(credentials2) {
+    try {
+      const oidcConfig = await this.getOIDCConfig(this.configUrl);
+      this.logger?.debug({ oidcConfig }, "Fetched OIDC config");
+      const res = await this.fetchTokenEndpoint(
+        oidcConfig.token_endpoint,
+        credentials2
+      );
+      const json = await res.json();
+      this.logger?.info(
+        { response: json },
+        `Fetched admin token for clientId: ${credentials2.clientId}`
+      );
+      if (!json.access_token) {
+        throw new Error("No access_token in token endpoint response");
+      }
+      return json.access_token;
+    } catch (error) {
+      this.logger?.error({ err: error }, "Failed to fetch admin token");
+      throw error;
+    }
+  }
+  async fetchTokenEndpoint(tokenEndpoint, credentials2) {
+    const params = new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: credentials2.clientId,
+      client_secret: credentials2.clientSecret,
+      scope: credentials2.scope ?? "",
+      audience: credentials2.audience ?? ""
+    });
+    const res = await fetch(tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString()
+    });
+    if (!res.ok) {
+      this.logger?.error(
+        { status: res.status, statusText: res.statusText },
+        "Token endpoint error"
+      );
+      throw new Error(
+        `Token endpoint error: ${res.status} ${res.statusText}`
+      );
+    }
+    return res;
+  }
+  async getOIDCConfig(url) {
+    const res = await fetch(url);
+    if (!res.ok) {
+      const text = await res.text();
+      this.logger?.error(
+        { status: res.status, statusText: res.statusText, body: text },
+        "Failed to fetch OIDC config"
+      );
+      throw new Error(
+        `OIDC config error: ${res.status} ${res.statusText}`
+      );
+    }
+    return res.json();
+  }
+};
+var clientCredentialsService = (configUrl, logger) => ({
+  fetchToken: async (credentials2) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials2)
+});
+function assertConnected(authContext) {
+  if (!authContext) {
+    throw coreRpcErrors.providerErrors.unauthorized({
+      message: "User is not connected"
+    });
+  }
+  return authContext;
+}
+var credentials = zod.z.object({
+  clientId: zod.z.string(),
+  clientSecret: zod.z.string()
+});
+var passwordAuthSchema = zod.z.object({
+  identityProviderId: zod.z.string(),
+  type: zod.z.literal("password"),
+  issuer: zod.z.string(),
+  configUrl: zod.z.string(),
+  audience: zod.z.string(),
+  tokenUrl: zod.z.string(),
+  grantType: zod.z.string(),
+  scope: zod.z.string(),
+  clientId: zod.z.string(),
+  admin: zod.z.optional(credentials)
+});
+var implicitAuthSchema = zod.z.object({
+  identityProviderId: zod.z.string(),
+  type: zod.z.literal("implicit"),
+  issuer: zod.z.string(),
+  configUrl: zod.z.string(),
+  audience: zod.z.string(),
+  scope: zod.z.string(),
+  clientId: zod.z.string(),
+  admin: zod.z.optional(credentials)
+});
+var clientCredentialAuthSchema = zod.z.object({
+  identityProviderId: zod.z.string(),
+  type: zod.z.literal("client_credentials"),
+  issuer: zod.z.string(),
+  configUrl: zod.z.string(),
+  audience: zod.z.string(),
+  scope: zod.z.string(),
+  clientId: zod.z.string(),
+  clientSecret: zod.z.string(),
+  admin: zod.z.optional(credentials)
+});
+var selfSignedAuthSchema = zod.z.object({
+  identityProviderId: zod.z.string(),
+  type: zod.z.literal("self_signed"),
+  issuer: zod.z.string(),
+  audience: zod.z.string(),
+  scope: zod.z.string(),
+  clientId: zod.z.string(),
+  clientSecret: zod.z.string(),
+  admin: zod.z.optional(credentials)
+});
+var authSchema = zod.z.discriminatedUnion("type", [
+  passwordAuthSchema,
+  implicitAuthSchema,
+  clientCredentialAuthSchema,
+  selfSignedAuthSchema
+]);
+var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
+  constructor(auth, logger, expirySeconds = 3600) {
+    this.auth = auth;
+    this.logger = logger;
+    this.expirySeconds = expirySeconds;
+  }
+  async getUserAccessToken() {
+    this.logger.debug("Fetching self-signed user auth token");
+    return _AuthTokenProviderSelfSigned.fetchToken(
+      this.logger,
+      {
+        clientId: this.auth.clientId,
+        clientSecret: this.auth.clientSecret,
+        scope: this.auth.scope,
+        audience: this.auth.audience
+      },
+      this.auth.issuer,
+      this.expirySeconds
+    );
+  }
+  async getAdminAccessToken() {
+    this.logger.debug("Fetching self-signed admin auth token");
+    if (!this.auth.admin) {
+      throw new Error("Admin credentials are not configured");
+    }
+    return _AuthTokenProviderSelfSigned.fetchToken(
+      this.logger,
+      {
+        clientId: this.auth.admin.clientId,
+        clientSecret: this.auth.admin.clientSecret,
+        scope: this.auth.scope,
+        audience: this.auth.audience
+      },
+      this.auth.issuer,
+      this.expirySeconds
+    );
+  }
+  static async fetchToken(logger, credentials2, issuer, expirySeconds = 3600) {
+    const secret = new TextEncoder().encode(credentials2.clientSecret);
+    const now = Math.floor(Date.now() / 1e3);
+    const jwt = await new jose.SignJWT({
+      sub: credentials2.clientId,
+      aud: credentials2.audience || "",
+      iat: now,
+      exp: now + expirySeconds,
+      iss: issuer
+    }).setProtectedHeader({ alg: "HS256" }).sign(secret);
+    logger.info(`Generated self-signed JWT token: ${jwt}`);
+    return jwt;
+  }
+};
+// src/auth-token-provider.ts
+var AuthTokenProvider = class {
+  constructor(auth, logger) {
+    this.auth = auth;
+    this.logger = logger;
+  }
+  async getUserAccessToken() {
+    this.logger.debug("Fetching user auth token");
+    if (this.auth.type === "self_signed")
+      return new AuthTokenProviderSelfSigned(
+        this.auth,
+        this.logger
+      ).getUserAccessToken();
+    if (this.auth.type === "client_credentials")
+      return clientCredentialsService(
+        this.auth.configUrl,
+        this.logger
+      ).fetchToken({
+        clientId: this.auth.clientId,
+        clientSecret: this.auth.clientSecret,
+        scope: this.auth.scope,
+        audience: this.auth.audience
+      });
+    throw new Error(
+      `Auth type ${this.auth.type} not supported for user access token`
+    );
+  }
+  async getAdminAccessToken() {
+    this.logger.debug("Fetching admin auth token");
+    if (this.auth.type === "self_signed")
+      return new AuthTokenProviderSelfSigned(
+        this.auth,
+        this.logger
+      ).getAdminAccessToken();
+    if (!this.auth.admin) {
+      throw new Error(
+        `No admin credentials configured for auth type ${this.auth.type}`
+      );
+    }
+    return clientCredentialsService(
+      this.auth.configUrl,
+      this.logger
+    ).fetchToken({
+      clientId: this.auth.admin.clientId,
+      clientSecret: this.auth.admin.clientSecret,
+      scope: this.auth.scope,
+      audience: this.auth.audience
+    });
+  }
+};
+exports.AuthTokenProvider = AuthTokenProvider;
+exports.AuthTokenProviderSelfSigned = AuthTokenProviderSelfSigned;
+exports.ClientCredentialsService = ClientCredentialsService;
+exports.assertConnected = assertConnected;
+exports.authSchema = authSchema;
+exports.clientCredentialsService = clientCredentialsService;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["credentials","providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAWA,YAAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACXA;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqCA,aAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACAA,YAAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAWA,YAAAA,CAAY,QAAA;AAAA,MACvB,eAAeA,YAAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAOA,aAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAUA,aAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAOA,YAAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAWA,YAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMC,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,WAAA,GAAcC,MAAE,MAAA,CAAO;AAAA,EACzB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqBA,MAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqBA,MAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,0BAAA,GAA6BA,MAAE,MAAA,CAAO;AAAA,EACxC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACpC,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACnD,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACJ,CAAC;ACtDM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,MAAA,EACA,aAAA,GAAwB,IAAA,EAClC;AAHU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,QAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,QAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACAF,YAAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,aAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIG,YAAA,CAAQ;AAAA,MAC1B,KAAKH,YAAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAKA,aAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC5DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,MACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,oBAAA;AACnB,MAAA,OAAO,wBAAA;AAAA,QACH,KAAK,IAAA,CAAK,SAAA;AAAA,QACV,IAAA,CAAK;AAAA,QACP,UAAA,CAAW;AAAA,QACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACvB,CAAA;AAEL,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,UAAA,EAAa,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,oCAAA;AAAA,KAC/B;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAAA,OACnE;AAAA,IACJ;AACA,IAAA,OAAO,wBAAA;AAAA,MACH,KAAK,IAAA,CAAK,SAAA;AAAA,MACV,IAAA,CAAK;AAAA,MACP,UAAA,CAAW;AAAA,MACT,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,MAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,MAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,MACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,KACvB,CAAA;AAAA,EACL;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst credentials = z.object({\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst passwordAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('password'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n tokenUrl: z.string(),\n grantType: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst implicitAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('implicit'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst clientCredentialAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('client_credentials'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nconst selfSignedAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nexport const authSchema = z.discriminatedUnion('type', [\n passwordAuthSchema,\n implicitAuthSchema,\n clientCredentialAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type ImplicitAuth = z.infer<typeof implicitAuthSchema>\nexport type PasswordAuth = z.infer<typeof passwordAuthSchema>\nexport type Credentials = z.infer<typeof credentials>\nexport type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.auth.admin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private auth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.type === 'client_credentials')\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n\n throw new Error(\n `Auth type ${this.auth.type} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.auth.admin) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.type}`\n )\n }\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n }\n}\n"]}

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,7 @@
 export * from './auth-service.js';
 export * from './client-credentials-service.js';
 export * from './auth-utils.js';
+export * from './config/schema.js';
+export * from './auth-token-provider.js';
+export * from './auth-token-provider-self-signed.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,mBAAmB,CAAA;AACjC,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iBAAiB,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,mBAAmB,CAAA;AACjC,cAAc,iCAAiC,CAAA;AAC/C,cAAc,iBAAiB,CAAA;AAC/B,cAAc,oBAAoB,CAAA;AAClC,cAAc,0BAA0B,CAAA;AACxC,cAAc,sCAAsC,CAAA"}

package/dist/index.js CHANGED Viewed

@@ -1,5 +1,247 @@
-// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
-// SPDX-License-Identifier: Apache-2.0
-export * from './auth-service.js';
-export * from './client-credentials-service.js';
-export * from './auth-utils.js';
+import { providerErrors } from '@canton-network/core-rpc-errors';
+import { z } from 'zod';
+import { SignJWT } from 'jose';
+// src/client-credentials-service.ts
+var ClientCredentialsService = class {
+  constructor(configUrl, logger) {
+    this.configUrl = configUrl;
+    this.logger = logger;
+  }
+  /**
+   * Fetches the JWT token (M2M) using client credentials.
+   *
+   * @returns The JWT access token as a string.
+   * @throws If fetching the token fails or the response is invalid.
+   */
+  async fetchToken(credentials2) {
+    try {
+      const oidcConfig = await this.getOIDCConfig(this.configUrl);
+      this.logger?.debug({ oidcConfig }, "Fetched OIDC config");
+      const res = await this.fetchTokenEndpoint(
+        oidcConfig.token_endpoint,
+        credentials2
+      );
+      const json = await res.json();
+      this.logger?.info(
+        { response: json },
+        `Fetched admin token for clientId: ${credentials2.clientId}`
+      );
+      if (!json.access_token) {
+        throw new Error("No access_token in token endpoint response");
+      }
+      return json.access_token;
+    } catch (error) {
+      this.logger?.error({ err: error }, "Failed to fetch admin token");
+      throw error;
+    }
+  }
+  async fetchTokenEndpoint(tokenEndpoint, credentials2) {
+    const params = new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: credentials2.clientId,
+      client_secret: credentials2.clientSecret,
+      scope: credentials2.scope ?? "",
+      audience: credentials2.audience ?? ""
+    });
+    const res = await fetch(tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString()
+    });
+    if (!res.ok) {
+      this.logger?.error(
+        { status: res.status, statusText: res.statusText },
+        "Token endpoint error"
+      );
+      throw new Error(
+        `Token endpoint error: ${res.status} ${res.statusText}`
+      );
+    }
+    return res;
+  }
+  async getOIDCConfig(url) {
+    const res = await fetch(url);
+    if (!res.ok) {
+      const text = await res.text();
+      this.logger?.error(
+        { status: res.status, statusText: res.statusText, body: text },
+        "Failed to fetch OIDC config"
+      );
+      throw new Error(
+        `OIDC config error: ${res.status} ${res.statusText}`
+      );
+    }
+    return res.json();
+  }
+};
+var clientCredentialsService = (configUrl, logger) => ({
+  fetchToken: async (credentials2) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials2)
+});
+function assertConnected(authContext) {
+  if (!authContext) {
+    throw providerErrors.unauthorized({
+      message: "User is not connected"
+    });
+  }
+  return authContext;
+}
+var credentials = z.object({
+  clientId: z.string(),
+  clientSecret: z.string()
+});
+var passwordAuthSchema = z.object({
+  identityProviderId: z.string(),
+  type: z.literal("password"),
+  issuer: z.string(),
+  configUrl: z.string(),
+  audience: z.string(),
+  tokenUrl: z.string(),
+  grantType: z.string(),
+  scope: z.string(),
+  clientId: z.string(),
+  admin: z.optional(credentials)
+});
+var implicitAuthSchema = z.object({
+  identityProviderId: z.string(),
+  type: z.literal("implicit"),
+  issuer: z.string(),
+  configUrl: z.string(),
+  audience: z.string(),
+  scope: z.string(),
+  clientId: z.string(),
+  admin: z.optional(credentials)
+});
+var clientCredentialAuthSchema = z.object({
+  identityProviderId: z.string(),
+  type: z.literal("client_credentials"),
+  issuer: z.string(),
+  configUrl: z.string(),
+  audience: z.string(),
+  scope: z.string(),
+  clientId: z.string(),
+  clientSecret: z.string(),
+  admin: z.optional(credentials)
+});
+var selfSignedAuthSchema = z.object({
+  identityProviderId: z.string(),
+  type: z.literal("self_signed"),
+  issuer: z.string(),
+  audience: z.string(),
+  scope: z.string(),
+  clientId: z.string(),
+  clientSecret: z.string(),
+  admin: z.optional(credentials)
+});
+var authSchema = z.discriminatedUnion("type", [
+  passwordAuthSchema,
+  implicitAuthSchema,
+  clientCredentialAuthSchema,
+  selfSignedAuthSchema
+]);
+var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
+  constructor(auth, logger, expirySeconds = 3600) {
+    this.auth = auth;
+    this.logger = logger;
+    this.expirySeconds = expirySeconds;
+  }
+  async getUserAccessToken() {
+    this.logger.debug("Fetching self-signed user auth token");
+    return _AuthTokenProviderSelfSigned.fetchToken(
+      this.logger,
+      {
+        clientId: this.auth.clientId,
+        clientSecret: this.auth.clientSecret,
+        scope: this.auth.scope,
+        audience: this.auth.audience
+      },
+      this.auth.issuer,
+      this.expirySeconds
+    );
+  }
+  async getAdminAccessToken() {
+    this.logger.debug("Fetching self-signed admin auth token");
+    if (!this.auth.admin) {
+      throw new Error("Admin credentials are not configured");
+    }
+    return _AuthTokenProviderSelfSigned.fetchToken(
+      this.logger,
+      {
+        clientId: this.auth.admin.clientId,
+        clientSecret: this.auth.admin.clientSecret,
+        scope: this.auth.scope,
+        audience: this.auth.audience
+      },
+      this.auth.issuer,
+      this.expirySeconds
+    );
+  }
+  static async fetchToken(logger, credentials2, issuer, expirySeconds = 3600) {
+    const secret = new TextEncoder().encode(credentials2.clientSecret);
+    const now = Math.floor(Date.now() / 1e3);
+    const jwt = await new SignJWT({
+      sub: credentials2.clientId,
+      aud: credentials2.audience || "",
+      iat: now,
+      exp: now + expirySeconds,
+      iss: issuer
+    }).setProtectedHeader({ alg: "HS256" }).sign(secret);
+    logger.info(`Generated self-signed JWT token: ${jwt}`);
+    return jwt;
+  }
+};
+// src/auth-token-provider.ts
+var AuthTokenProvider = class {
+  constructor(auth, logger) {
+    this.auth = auth;
+    this.logger = logger;
+  }
+  async getUserAccessToken() {
+    this.logger.debug("Fetching user auth token");
+    if (this.auth.type === "self_signed")
+      return new AuthTokenProviderSelfSigned(
+        this.auth,
+        this.logger
+      ).getUserAccessToken();
+    if (this.auth.type === "client_credentials")
+      return clientCredentialsService(
+        this.auth.configUrl,
+        this.logger
+      ).fetchToken({
+        clientId: this.auth.clientId,
+        clientSecret: this.auth.clientSecret,
+        scope: this.auth.scope,
+        audience: this.auth.audience
+      });
+    throw new Error(
+      `Auth type ${this.auth.type} not supported for user access token`
+    );
+  }
+  async getAdminAccessToken() {
+    this.logger.debug("Fetching admin auth token");
+    if (this.auth.type === "self_signed")
+      return new AuthTokenProviderSelfSigned(
+        this.auth,
+        this.logger
+      ).getAdminAccessToken();
+    if (!this.auth.admin) {
+      throw new Error(
+        `No admin credentials configured for auth type ${this.auth.type}`
+      );
+    }
+    return clientCredentialsService(
+      this.auth.configUrl,
+      this.logger
+    ).fetchToken({
+      clientId: this.auth.admin.clientId,
+      clientSecret: this.auth.admin.clientSecret,
+      scope: this.auth.scope,
+      audience: this.auth.audience
+    });
+  }
+};
+export { AuthTokenProvider, AuthTokenProviderSelfSigned, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["credentials"],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAWA,YAAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACXA;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqCA,aAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACAA,YAAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAWA,YAAAA,CAAY,QAAA;AAAA,MACvB,eAAeA,YAAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAOA,aAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAUA,aAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAOA,YAAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAWA,YAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACzB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqB,EAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqB,EAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EACxC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACpC,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACnD,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACJ,CAAC;ACtDM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,MAAA,EACA,aAAA,GAAwB,IAAA,EAClC;AAHU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,QAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,QAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACAA,YAAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,aAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAKA,YAAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAKA,aAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC5DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,MACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,oBAAA;AACnB,MAAA,OAAO,wBAAA;AAAA,QACH,KAAK,IAAA,CAAK,SAAA;AAAA,QACV,IAAA,CAAK;AAAA,QACP,UAAA,CAAW;AAAA,QACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACvB,CAAA;AAEL,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,UAAA,EAAa,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,oCAAA;AAAA,KAC/B;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAAA,OACnE;AAAA,IACJ;AACA,IAAA,OAAO,wBAAA;AAAA,MACH,KAAK,IAAA,CAAK,SAAA;AAAA,MACV,IAAA,CAAK;AAAA,MACP,UAAA,CAAW;AAAA,MACT,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,MAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,MAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,MACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,KACvB,CAAA;AAAA,EACL;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst credentials = z.object({\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst passwordAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('password'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n tokenUrl: z.string(),\n grantType: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst implicitAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('implicit'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst clientCredentialAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('client_credentials'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nconst selfSignedAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nexport const authSchema = z.discriminatedUnion('type', [\n passwordAuthSchema,\n implicitAuthSchema,\n clientCredentialAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type ImplicitAuth = z.infer<typeof implicitAuthSchema>\nexport type PasswordAuth = z.infer<typeof passwordAuthSchema>\nexport type Credentials = z.infer<typeof credentials>\nexport type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.auth.admin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private auth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.type === 'client_credentials')\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n\n throw new Error(\n `Auth type ${this.auth.type} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.auth.admin) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.type}`\n )\n }\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n }\n}\n"]}

package/package.json CHANGED Viewed

@@ -1,20 +1,29 @@
 {
   "name": "@canton-network/core-wallet-auth",
-  "version": "0.10.0",
+  "version": "0.11.0",
   "type": "module",
   "description": "Provides authentication middleware and user management for the Wallet Gateway",
   "repository": "github:hyperledger-labs/splice-wallet-kernel",
   "license": "Apache-2.0",
   "author": "Marc Juchli <marc.juchli@digitalasset.com>",
   "packageManager": "yarn@4.9.4",
-  "main": "./dist/index.js",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
   "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs",
+      "default": "./dist/index.js"
+    }
+  },
   "scripts": {
-    "build": "tsc -b",
-    "dev": "tsc -b --watch",
+    "build": "tsup && tsc -p tsconfig.types.json",
+    "dev": "tsup --watch --onSuccess \"tsc -p tsconfig.types.json\"",
     "flatpack": "yarn pack --out \"$FLATPACK_OUTDIR\"",
     "clean": "tsc -b --clean; rm -rf dist",
-    "test": "yarn node --experimental-vm-modules $(yarn bin jest) --passWithNoTests"
+    "test": "jest --passWithNoTests"
   },
   "devDependencies": {
     "@jest/globals": "^29.0.0",
@@ -24,11 +33,14 @@
     "jest": "^30.0.0",
     "ts-jest": "^29.4.0",
     "ts-jest-resolver": "^2.0.1",
+    "tsup": "^8.5.0",
     "typescript": "^5.8.3"
   },
   "dependencies": {
-    "@canton-network/core-rpc-errors": "^0.6.0",
-    "@canton-network/core-types": "^0.9.0"
+    "@canton-network/core-rpc-errors": "^0.7.0",
+    "@canton-network/core-types": "^0.10.0",
+    "jose": "^5.10.0",
+    "zod": "^3.25.64"
   },
   "files": [
     "dist/**"

package/dist/auth-service.js DELETED Viewed

@@ -1,3 +0,0 @@
-// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
-// SPDX-License-Identifier: Apache-2.0
-export {};

package/dist/auth-utils.js DELETED Viewed

@@ -1,11 +0,0 @@
-// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
-// SPDX-License-Identifier: Apache-2.0
-import { providerErrors } from '@canton-network/core-rpc-errors';
-export function assertConnected(authContext) {
-    if (!authContext) {
-        throw providerErrors.unauthorized({
-            message: 'User is not connected',
-        });
-    }
-    return authContext;
-}

package/dist/client-credentials-service.js DELETED Viewed

@@ -1,64 +0,0 @@
-// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
-// SPDX-License-Identifier: Apache-2.0
-export class ClientCredentialsService {
-    configUrl;
-    logger;
-    constructor(configUrl, logger) {
-        this.configUrl = configUrl;
-        this.logger = logger;
-    }
-    /**
-     * Fetches the JWT token (M2M) using client credentials.
-     *
-     * @returns The JWT access token as a string.
-     * @throws If fetching the token fails or the response is invalid.
-     */
-    async fetchToken(credentials) {
-        try {
-            const oidcConfig = await this.getOIDCConfig(this.configUrl);
-            this.logger?.debug({ oidcConfig }, 'Fetched OIDC config');
-            const res = await this.fetchTokenEndpoint(oidcConfig.token_endpoint, credentials);
-            const json = await res.json();
-            this.logger?.info({ response: json }, `Fetched admin token for clientId: ${credentials.clientId}`);
-            if (!json.access_token) {
-                throw new Error('No access_token in token endpoint response');
-            }
-            return json.access_token;
-        }
-        catch (error) {
-            this.logger?.error({ err: error }, 'Failed to fetch admin token');
-            throw error;
-        }
-    }
-    async fetchTokenEndpoint(tokenEndpoint, credentials) {
-        const params = new URLSearchParams({
-            grant_type: 'client_credentials',
-            client_id: credentials.clientId,
-            client_secret: credentials.clientSecret,
-            scope: credentials.scope ?? '',
-            audience: credentials.audience ?? '',
-        });
-        const res = await fetch(tokenEndpoint, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-            body: params.toString(),
-        });
-        if (!res.ok) {
-            this.logger?.error({ status: res.status, statusText: res.statusText }, 'Token endpoint error');
-            throw new Error(`Token endpoint error: ${res.status} ${res.statusText}`);
-        }
-        return res;
-    }
-    async getOIDCConfig(url) {
-        const res = await fetch(url);
-        if (!res.ok) {
-            const text = await res.text();
-            this.logger?.error({ status: res.status, statusText: res.statusText, body: text }, 'Failed to fetch OIDC config');
-            throw new Error(`OIDC config error: ${res.status} ${res.statusText}`);
-        }
-        return res.json();
-    }
-}
-export const clientCredentialsService = (configUrl, logger) => ({
-    fetchToken: async (credentials) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials),
-});

package/dist/client-credentials.service.test.d.ts DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export {};
2	- //# sourceMappingURL=client-credentials.service.test.d.ts.map

package/dist/client-credentials.service.test.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"client-credentials.service.test.d.ts","sourceRoot":"","sources":["../src/client-credentials.service.test.ts"],"names":[],"mappings":""}

package/dist/client-credentials.service.test.js DELETED Viewed

@@ -1,55 +0,0 @@
-// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
-// SPDX-License-Identifier: Apache-2.0
-import { jest } from '@jest/globals';
-import { ClientCredentialsService, } from './client-credentials-service.js';
-describe('ClientCredentialsService', () => {
-    const configUrl = 'http://idp/.well-known/openid-configuration';
-    const credentials = {
-        audience: 'aud',
-        scope: 'scope',
-        clientId: 'cid',
-        clientSecret: 'secret',
-    };
-    let service;
-    let getOIDCConfigSpy;
-    let fetchTokenEndpointSpy;
-    beforeEach(() => {
-        service = new ClientCredentialsService(configUrl, undefined);
-        getOIDCConfigSpy = jest.spyOn(service, 'getOIDCConfig');
-        fetchTokenEndpointSpy = jest.spyOn(service, 'fetchTokenEndpoint');
-    });
-    it('returns access_token on success', async () => {
-        getOIDCConfigSpy.mockResolvedValue({
-            token_endpoint: 'http://idp/token',
-        });
-        fetchTokenEndpointSpy.mockResolvedValue({
-            ok: true,
-            json: jest
-                .fn()
-                .mockResolvedValue({ access_token: 'jwt' }),
-        });
-        const token = await service.fetchToken(credentials);
-        expect(token).toBe('jwt');
-    });
-    it('throws if OIDC config fetch fails', async () => {
-        getOIDCConfigSpy.mockRejectedValue(new Error('config fail'));
-        await expect(service.fetchToken(credentials)).rejects.toThrow('config fail');
-    });
-    it('throws if token endpoint fetch fails', async () => {
-        getOIDCConfigSpy.mockResolvedValue({
-            token_endpoint: 'http://idp/token',
-        });
-        fetchTokenEndpointSpy.mockRejectedValue(new Error('token fail'));
-        await expect(service.fetchToken(credentials)).rejects.toThrow('token fail');
-    });
-    it('throws if access_token missing', async () => {
-        getOIDCConfigSpy.mockResolvedValue({
-            token_endpoint: 'http://idp/token',
-        });
-        fetchTokenEndpointSpy.mockResolvedValue({
-            ok: true,
-            json: jest.fn().mockResolvedValue({}),
-        });
-        await expect(service.fetchToken(credentials)).rejects.toThrow('No access_token in token endpoint response');
-    });
-});