@canton-network/core-wallet-auth 0.11.0 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth-token-provider-self-signed.d.ts +2 -1
- package/dist/auth-token-provider-self-signed.d.ts.map +1 -1
- package/dist/auth-token-provider.d.ts +4 -2
- package/dist/auth-token-provider.d.ts.map +1 -1
- package/dist/config/schema.d.ts +63 -293
- package/dist/config/schema.d.ts.map +1 -1
- package/dist/index.cjs +94 -83
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +94 -84
- package/dist/index.js.map +1 -1
- package/package.json +3 -3
|
@@ -3,9 +3,10 @@ import { AccessTokenProvider, ClientCredentials } from './auth-service.js';
|
|
|
3
3
|
import { SelfSignedAuth } from './config/schema.js';
|
|
4
4
|
export declare class AuthTokenProviderSelfSigned implements AccessTokenProvider {
|
|
5
5
|
private auth;
|
|
6
|
+
private authAdmin;
|
|
6
7
|
private logger;
|
|
7
8
|
private expirySeconds;
|
|
8
|
-
constructor(auth: SelfSignedAuth, logger: Logger, expirySeconds?: number);
|
|
9
|
+
constructor(auth: SelfSignedAuth, authAdmin: SelfSignedAuth, logger: Logger, expirySeconds?: number);
|
|
9
10
|
getUserAccessToken(): Promise<string>;
|
|
10
11
|
getAdminAccessToken(): Promise<string>;
|
|
11
12
|
static fetchToken(logger: Logger, credentials: ClientCredentials, issuer: string, expirySeconds?: number): Promise<string>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-token-provider-self-signed.d.ts","sourceRoot":"","sources":["../src/auth-token-provider-self-signed.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGnD,qBAAa,2BAA4B,YAAW,mBAAmB;IAE/D,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,aAAa;
|
|
1
|
+
{"version":3,"file":"auth-token-provider-self-signed.d.ts","sourceRoot":"","sources":["../src/auth-token-provider-self-signed.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGnD,qBAAa,2BAA4B,YAAW,mBAAmB;IAE/D,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,aAAa;gBAHb,IAAI,EAAE,cAAc,EACpB,SAAS,EAAE,cAAc,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa;IAGlC,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAerC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;WAkB/B,UAAU,CACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,iBAAiB,EAC9B,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa,GAC7B,OAAO,CAAC,MAAM,CAAC;CAgBrB"}
|
|
@@ -1,10 +1,12 @@
|
|
|
1
1
|
import { Logger } from '@canton-network/core-types';
|
|
2
2
|
import { AccessTokenProvider } from './auth-service.js';
|
|
3
|
-
import { Auth } from './config/schema.js';
|
|
3
|
+
import { Auth, Idp } from './config/schema.js';
|
|
4
4
|
export declare class AuthTokenProvider implements AccessTokenProvider {
|
|
5
|
+
private idp;
|
|
5
6
|
private auth;
|
|
7
|
+
private adminAuth;
|
|
6
8
|
private logger;
|
|
7
|
-
constructor(auth: Auth, logger: Logger);
|
|
9
|
+
constructor(idp: Idp, auth: Auth, adminAuth: Auth, logger: Logger);
|
|
8
10
|
getUserAccessToken(): Promise<string>;
|
|
9
11
|
getAdminAccessToken(): Promise<string>;
|
|
10
12
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;
|
|
1
|
+
{"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAkB,MAAM,oBAAoB,CAAA;AAI9D,qBAAa,iBAAkB,YAAW,mBAAmB;IAErD,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,MAAM;gBAHN,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,SAAS,EAAE,IAAI,EACf,MAAM,EAAE,MAAM;IAGpB,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAgCrC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;CAqC/C"}
|
package/dist/config/schema.d.ts
CHANGED
|
@@ -1,378 +1,148 @@
|
|
|
1
1
|
import { z } from 'zod';
|
|
2
|
-
declare const
|
|
3
|
-
|
|
4
|
-
clientSecret: z.ZodString;
|
|
5
|
-
}, "strip", z.ZodTypeAny, {
|
|
6
|
-
clientId: string;
|
|
7
|
-
clientSecret: string;
|
|
8
|
-
}, {
|
|
9
|
-
clientId: string;
|
|
10
|
-
clientSecret: string;
|
|
11
|
-
}>;
|
|
12
|
-
declare const passwordAuthSchema: z.ZodObject<{
|
|
13
|
-
identityProviderId: z.ZodString;
|
|
14
|
-
type: z.ZodLiteral<"password">;
|
|
15
|
-
issuer: z.ZodString;
|
|
16
|
-
configUrl: z.ZodString;
|
|
2
|
+
declare const authorizationCodeAuthSchema: z.ZodObject<{
|
|
3
|
+
method: z.ZodLiteral<"authorization_code">;
|
|
17
4
|
audience: z.ZodString;
|
|
18
|
-
tokenUrl: z.ZodString;
|
|
19
|
-
grantType: z.ZodString;
|
|
20
5
|
scope: z.ZodString;
|
|
21
6
|
clientId: z.ZodString;
|
|
22
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
23
|
-
clientId: z.ZodString;
|
|
24
|
-
clientSecret: z.ZodString;
|
|
25
|
-
}, "strip", z.ZodTypeAny, {
|
|
26
|
-
clientId: string;
|
|
27
|
-
clientSecret: string;
|
|
28
|
-
}, {
|
|
29
|
-
clientId: string;
|
|
30
|
-
clientSecret: string;
|
|
31
|
-
}>>;
|
|
32
7
|
}, "strip", z.ZodTypeAny, {
|
|
33
|
-
|
|
34
|
-
type: "password";
|
|
35
|
-
identityProviderId: string;
|
|
36
|
-
issuer: string;
|
|
37
|
-
configUrl: string;
|
|
8
|
+
method: "authorization_code";
|
|
38
9
|
audience: string;
|
|
39
|
-
tokenUrl: string;
|
|
40
|
-
grantType: string;
|
|
41
10
|
scope: string;
|
|
42
|
-
admin?: {
|
|
43
|
-
clientId: string;
|
|
44
|
-
clientSecret: string;
|
|
45
|
-
} | undefined;
|
|
46
|
-
}, {
|
|
47
11
|
clientId: string;
|
|
48
|
-
type: "password";
|
|
49
|
-
identityProviderId: string;
|
|
50
|
-
issuer: string;
|
|
51
|
-
configUrl: string;
|
|
52
|
-
audience: string;
|
|
53
|
-
tokenUrl: string;
|
|
54
|
-
grantType: string;
|
|
55
|
-
scope: string;
|
|
56
|
-
admin?: {
|
|
57
|
-
clientId: string;
|
|
58
|
-
clientSecret: string;
|
|
59
|
-
} | undefined;
|
|
60
|
-
}>;
|
|
61
|
-
declare const implicitAuthSchema: z.ZodObject<{
|
|
62
|
-
identityProviderId: z.ZodString;
|
|
63
|
-
type: z.ZodLiteral<"implicit">;
|
|
64
|
-
issuer: z.ZodString;
|
|
65
|
-
configUrl: z.ZodString;
|
|
66
|
-
audience: z.ZodString;
|
|
67
|
-
scope: z.ZodString;
|
|
68
|
-
clientId: z.ZodString;
|
|
69
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
70
|
-
clientId: z.ZodString;
|
|
71
|
-
clientSecret: z.ZodString;
|
|
72
|
-
}, "strip", z.ZodTypeAny, {
|
|
73
|
-
clientId: string;
|
|
74
|
-
clientSecret: string;
|
|
75
|
-
}, {
|
|
76
|
-
clientId: string;
|
|
77
|
-
clientSecret: string;
|
|
78
|
-
}>>;
|
|
79
|
-
}, "strip", z.ZodTypeAny, {
|
|
80
|
-
clientId: string;
|
|
81
|
-
type: "implicit";
|
|
82
|
-
identityProviderId: string;
|
|
83
|
-
issuer: string;
|
|
84
|
-
configUrl: string;
|
|
85
|
-
audience: string;
|
|
86
|
-
scope: string;
|
|
87
|
-
admin?: {
|
|
88
|
-
clientId: string;
|
|
89
|
-
clientSecret: string;
|
|
90
|
-
} | undefined;
|
|
91
12
|
}, {
|
|
92
|
-
|
|
93
|
-
type: "implicit";
|
|
94
|
-
identityProviderId: string;
|
|
95
|
-
issuer: string;
|
|
96
|
-
configUrl: string;
|
|
13
|
+
method: "authorization_code";
|
|
97
14
|
audience: string;
|
|
98
15
|
scope: string;
|
|
99
|
-
|
|
100
|
-
clientId: string;
|
|
101
|
-
clientSecret: string;
|
|
102
|
-
} | undefined;
|
|
16
|
+
clientId: string;
|
|
103
17
|
}>;
|
|
104
|
-
declare const
|
|
105
|
-
|
|
106
|
-
type: z.ZodLiteral<"client_credentials">;
|
|
107
|
-
issuer: z.ZodString;
|
|
108
|
-
configUrl: z.ZodString;
|
|
18
|
+
declare const clientCredentialsAuthSchema: z.ZodObject<{
|
|
19
|
+
method: z.ZodLiteral<"client_credentials">;
|
|
109
20
|
audience: z.ZodString;
|
|
110
21
|
scope: z.ZodString;
|
|
111
22
|
clientId: z.ZodString;
|
|
112
23
|
clientSecret: z.ZodString;
|
|
113
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
114
|
-
clientId: z.ZodString;
|
|
115
|
-
clientSecret: z.ZodString;
|
|
116
|
-
}, "strip", z.ZodTypeAny, {
|
|
117
|
-
clientId: string;
|
|
118
|
-
clientSecret: string;
|
|
119
|
-
}, {
|
|
120
|
-
clientId: string;
|
|
121
|
-
clientSecret: string;
|
|
122
|
-
}>>;
|
|
123
24
|
}, "strip", z.ZodTypeAny, {
|
|
124
|
-
|
|
125
|
-
clientSecret: string;
|
|
126
|
-
type: "client_credentials";
|
|
127
|
-
identityProviderId: string;
|
|
128
|
-
issuer: string;
|
|
129
|
-
configUrl: string;
|
|
25
|
+
method: "client_credentials";
|
|
130
26
|
audience: string;
|
|
131
27
|
scope: string;
|
|
132
|
-
admin?: {
|
|
133
|
-
clientId: string;
|
|
134
|
-
clientSecret: string;
|
|
135
|
-
} | undefined;
|
|
136
|
-
}, {
|
|
137
28
|
clientId: string;
|
|
138
29
|
clientSecret: string;
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
issuer: string;
|
|
142
|
-
configUrl: string;
|
|
30
|
+
}, {
|
|
31
|
+
method: "client_credentials";
|
|
143
32
|
audience: string;
|
|
144
33
|
scope: string;
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
clientSecret: string;
|
|
148
|
-
} | undefined;
|
|
34
|
+
clientId: string;
|
|
35
|
+
clientSecret: string;
|
|
149
36
|
}>;
|
|
150
37
|
declare const selfSignedAuthSchema: z.ZodObject<{
|
|
151
|
-
|
|
152
|
-
type: z.ZodLiteral<"self_signed">;
|
|
38
|
+
method: z.ZodLiteral<"self_signed">;
|
|
153
39
|
issuer: z.ZodString;
|
|
154
40
|
audience: z.ZodString;
|
|
155
41
|
scope: z.ZodString;
|
|
156
42
|
clientId: z.ZodString;
|
|
157
43
|
clientSecret: z.ZodString;
|
|
158
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
159
|
-
clientId: z.ZodString;
|
|
160
|
-
clientSecret: z.ZodString;
|
|
161
|
-
}, "strip", z.ZodTypeAny, {
|
|
162
|
-
clientId: string;
|
|
163
|
-
clientSecret: string;
|
|
164
|
-
}, {
|
|
165
|
-
clientId: string;
|
|
166
|
-
clientSecret: string;
|
|
167
|
-
}>>;
|
|
168
44
|
}, "strip", z.ZodTypeAny, {
|
|
45
|
+
method: "self_signed";
|
|
46
|
+
audience: string;
|
|
47
|
+
scope: string;
|
|
169
48
|
clientId: string;
|
|
170
49
|
clientSecret: string;
|
|
171
|
-
type: "self_signed";
|
|
172
|
-
identityProviderId: string;
|
|
173
50
|
issuer: string;
|
|
51
|
+
}, {
|
|
52
|
+
method: "self_signed";
|
|
174
53
|
audience: string;
|
|
175
54
|
scope: string;
|
|
176
|
-
admin?: {
|
|
177
|
-
clientId: string;
|
|
178
|
-
clientSecret: string;
|
|
179
|
-
} | undefined;
|
|
180
|
-
}, {
|
|
181
55
|
clientId: string;
|
|
182
56
|
clientSecret: string;
|
|
183
|
-
type: "self_signed";
|
|
184
|
-
identityProviderId: string;
|
|
185
57
|
issuer: string;
|
|
186
|
-
audience: string;
|
|
187
|
-
scope: string;
|
|
188
|
-
admin?: {
|
|
189
|
-
clientId: string;
|
|
190
|
-
clientSecret: string;
|
|
191
|
-
} | undefined;
|
|
192
58
|
}>;
|
|
193
|
-
export declare const authSchema: z.ZodDiscriminatedUnion<"
|
|
194
|
-
|
|
195
|
-
type: z.ZodLiteral<"password">;
|
|
196
|
-
issuer: z.ZodString;
|
|
197
|
-
configUrl: z.ZodString;
|
|
59
|
+
export declare const authSchema: z.ZodDiscriminatedUnion<"method", [z.ZodObject<{
|
|
60
|
+
method: z.ZodLiteral<"authorization_code">;
|
|
198
61
|
audience: z.ZodString;
|
|
199
|
-
tokenUrl: z.ZodString;
|
|
200
|
-
grantType: z.ZodString;
|
|
201
62
|
scope: z.ZodString;
|
|
202
63
|
clientId: z.ZodString;
|
|
203
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
204
|
-
clientId: z.ZodString;
|
|
205
|
-
clientSecret: z.ZodString;
|
|
206
|
-
}, "strip", z.ZodTypeAny, {
|
|
207
|
-
clientId: string;
|
|
208
|
-
clientSecret: string;
|
|
209
|
-
}, {
|
|
210
|
-
clientId: string;
|
|
211
|
-
clientSecret: string;
|
|
212
|
-
}>>;
|
|
213
64
|
}, "strip", z.ZodTypeAny, {
|
|
214
|
-
|
|
215
|
-
type: "password";
|
|
216
|
-
identityProviderId: string;
|
|
217
|
-
issuer: string;
|
|
218
|
-
configUrl: string;
|
|
65
|
+
method: "authorization_code";
|
|
219
66
|
audience: string;
|
|
220
|
-
tokenUrl: string;
|
|
221
|
-
grantType: string;
|
|
222
67
|
scope: string;
|
|
223
|
-
admin?: {
|
|
224
|
-
clientId: string;
|
|
225
|
-
clientSecret: string;
|
|
226
|
-
} | undefined;
|
|
227
|
-
}, {
|
|
228
68
|
clientId: string;
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
issuer: string;
|
|
232
|
-
configUrl: string;
|
|
69
|
+
}, {
|
|
70
|
+
method: "authorization_code";
|
|
233
71
|
audience: string;
|
|
234
|
-
tokenUrl: string;
|
|
235
|
-
grantType: string;
|
|
236
72
|
scope: string;
|
|
237
|
-
|
|
238
|
-
clientId: string;
|
|
239
|
-
clientSecret: string;
|
|
240
|
-
} | undefined;
|
|
73
|
+
clientId: string;
|
|
241
74
|
}>, z.ZodObject<{
|
|
242
|
-
|
|
243
|
-
type: z.ZodLiteral<"implicit">;
|
|
244
|
-
issuer: z.ZodString;
|
|
245
|
-
configUrl: z.ZodString;
|
|
75
|
+
method: z.ZodLiteral<"client_credentials">;
|
|
246
76
|
audience: z.ZodString;
|
|
247
77
|
scope: z.ZodString;
|
|
248
78
|
clientId: z.ZodString;
|
|
249
|
-
|
|
250
|
-
clientId: z.ZodString;
|
|
251
|
-
clientSecret: z.ZodString;
|
|
252
|
-
}, "strip", z.ZodTypeAny, {
|
|
253
|
-
clientId: string;
|
|
254
|
-
clientSecret: string;
|
|
255
|
-
}, {
|
|
256
|
-
clientId: string;
|
|
257
|
-
clientSecret: string;
|
|
258
|
-
}>>;
|
|
79
|
+
clientSecret: z.ZodString;
|
|
259
80
|
}, "strip", z.ZodTypeAny, {
|
|
260
|
-
|
|
261
|
-
type: "implicit";
|
|
262
|
-
identityProviderId: string;
|
|
263
|
-
issuer: string;
|
|
264
|
-
configUrl: string;
|
|
81
|
+
method: "client_credentials";
|
|
265
82
|
audience: string;
|
|
266
83
|
scope: string;
|
|
267
|
-
admin?: {
|
|
268
|
-
clientId: string;
|
|
269
|
-
clientSecret: string;
|
|
270
|
-
} | undefined;
|
|
271
|
-
}, {
|
|
272
84
|
clientId: string;
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
configUrl: string;
|
|
85
|
+
clientSecret: string;
|
|
86
|
+
}, {
|
|
87
|
+
method: "client_credentials";
|
|
277
88
|
audience: string;
|
|
278
89
|
scope: string;
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
clientSecret: string;
|
|
282
|
-
} | undefined;
|
|
90
|
+
clientId: string;
|
|
91
|
+
clientSecret: string;
|
|
283
92
|
}>, z.ZodObject<{
|
|
284
|
-
|
|
285
|
-
type: z.ZodLiteral<"client_credentials">;
|
|
93
|
+
method: z.ZodLiteral<"self_signed">;
|
|
286
94
|
issuer: z.ZodString;
|
|
287
|
-
configUrl: z.ZodString;
|
|
288
95
|
audience: z.ZodString;
|
|
289
96
|
scope: z.ZodString;
|
|
290
97
|
clientId: z.ZodString;
|
|
291
98
|
clientSecret: z.ZodString;
|
|
292
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
293
|
-
clientId: z.ZodString;
|
|
294
|
-
clientSecret: z.ZodString;
|
|
295
|
-
}, "strip", z.ZodTypeAny, {
|
|
296
|
-
clientId: string;
|
|
297
|
-
clientSecret: string;
|
|
298
|
-
}, {
|
|
299
|
-
clientId: string;
|
|
300
|
-
clientSecret: string;
|
|
301
|
-
}>>;
|
|
302
99
|
}, "strip", z.ZodTypeAny, {
|
|
100
|
+
method: "self_signed";
|
|
101
|
+
audience: string;
|
|
102
|
+
scope: string;
|
|
303
103
|
clientId: string;
|
|
304
104
|
clientSecret: string;
|
|
305
|
-
type: "client_credentials";
|
|
306
|
-
identityProviderId: string;
|
|
307
105
|
issuer: string;
|
|
308
|
-
|
|
106
|
+
}, {
|
|
107
|
+
method: "self_signed";
|
|
309
108
|
audience: string;
|
|
310
109
|
scope: string;
|
|
311
|
-
admin?: {
|
|
312
|
-
clientId: string;
|
|
313
|
-
clientSecret: string;
|
|
314
|
-
} | undefined;
|
|
315
|
-
}, {
|
|
316
110
|
clientId: string;
|
|
317
111
|
clientSecret: string;
|
|
318
|
-
type: "client_credentials";
|
|
319
|
-
identityProviderId: string;
|
|
320
112
|
issuer: string;
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
}>, z.ZodObject<{
|
|
329
|
-
identityProviderId: z.ZodString;
|
|
113
|
+
}>]>;
|
|
114
|
+
export type Auth = z.infer<typeof authSchema>;
|
|
115
|
+
export type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>;
|
|
116
|
+
export type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>;
|
|
117
|
+
export type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>;
|
|
118
|
+
export declare const idpSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
|
|
119
|
+
id: z.ZodString;
|
|
330
120
|
type: z.ZodLiteral<"self_signed">;
|
|
331
121
|
issuer: z.ZodString;
|
|
332
|
-
audience: z.ZodString;
|
|
333
|
-
scope: z.ZodString;
|
|
334
|
-
clientId: z.ZodString;
|
|
335
|
-
clientSecret: z.ZodString;
|
|
336
|
-
admin: z.ZodOptional<z.ZodObject<{
|
|
337
|
-
clientId: z.ZodString;
|
|
338
|
-
clientSecret: z.ZodString;
|
|
339
|
-
}, "strip", z.ZodTypeAny, {
|
|
340
|
-
clientId: string;
|
|
341
|
-
clientSecret: string;
|
|
342
|
-
}, {
|
|
343
|
-
clientId: string;
|
|
344
|
-
clientSecret: string;
|
|
345
|
-
}>>;
|
|
346
122
|
}, "strip", z.ZodTypeAny, {
|
|
347
|
-
clientId: string;
|
|
348
|
-
clientSecret: string;
|
|
349
123
|
type: "self_signed";
|
|
350
|
-
identityProviderId: string;
|
|
351
124
|
issuer: string;
|
|
352
|
-
|
|
353
|
-
scope: string;
|
|
354
|
-
admin?: {
|
|
355
|
-
clientId: string;
|
|
356
|
-
clientSecret: string;
|
|
357
|
-
} | undefined;
|
|
125
|
+
id: string;
|
|
358
126
|
}, {
|
|
359
|
-
clientId: string;
|
|
360
|
-
clientSecret: string;
|
|
361
127
|
type: "self_signed";
|
|
362
|
-
identityProviderId: string;
|
|
363
128
|
issuer: string;
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
369
|
-
|
|
129
|
+
id: string;
|
|
130
|
+
}>, z.ZodObject<{
|
|
131
|
+
id: z.ZodString;
|
|
132
|
+
type: z.ZodLiteral<"oauth">;
|
|
133
|
+
issuer: z.ZodString;
|
|
134
|
+
configUrl: z.ZodString;
|
|
135
|
+
}, "strip", z.ZodTypeAny, {
|
|
136
|
+
type: "oauth";
|
|
137
|
+
issuer: string;
|
|
138
|
+
id: string;
|
|
139
|
+
configUrl: string;
|
|
140
|
+
}, {
|
|
141
|
+
type: "oauth";
|
|
142
|
+
issuer: string;
|
|
143
|
+
id: string;
|
|
144
|
+
configUrl: string;
|
|
370
145
|
}>]>;
|
|
371
|
-
export type
|
|
372
|
-
export type ImplicitAuth = z.infer<typeof implicitAuthSchema>;
|
|
373
|
-
export type PasswordAuth = z.infer<typeof passwordAuthSchema>;
|
|
374
|
-
export type Credentials = z.infer<typeof credentials>;
|
|
375
|
-
export type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>;
|
|
376
|
-
export type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>;
|
|
146
|
+
export type Idp = z.infer<typeof idpSchema>;
|
|
377
147
|
export {};
|
|
378
148
|
//# sourceMappingURL=schema.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,2BAA2B;;;;;;;;;;;;;;;EAK/B,CAAA;AAEF,QAAA,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;EAM/B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;EAOxB,CAAA;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAIrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;IAYpB,CAAA;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA"}
|
package/dist/index.cjs
CHANGED
|
@@ -16,18 +16,18 @@ var ClientCredentialsService = class {
|
|
|
16
16
|
* @returns The JWT access token as a string.
|
|
17
17
|
* @throws If fetching the token fails or the response is invalid.
|
|
18
18
|
*/
|
|
19
|
-
async fetchToken(
|
|
19
|
+
async fetchToken(credentials) {
|
|
20
20
|
try {
|
|
21
21
|
const oidcConfig = await this.getOIDCConfig(this.configUrl);
|
|
22
22
|
this.logger?.debug({ oidcConfig }, "Fetched OIDC config");
|
|
23
23
|
const res = await this.fetchTokenEndpoint(
|
|
24
24
|
oidcConfig.token_endpoint,
|
|
25
|
-
|
|
25
|
+
credentials
|
|
26
26
|
);
|
|
27
27
|
const json = await res.json();
|
|
28
28
|
this.logger?.info(
|
|
29
29
|
{ response: json },
|
|
30
|
-
`Fetched admin token for clientId: ${
|
|
30
|
+
`Fetched admin token for clientId: ${credentials.clientId}`
|
|
31
31
|
);
|
|
32
32
|
if (!json.access_token) {
|
|
33
33
|
throw new Error("No access_token in token endpoint response");
|
|
@@ -38,13 +38,13 @@ var ClientCredentialsService = class {
|
|
|
38
38
|
throw error;
|
|
39
39
|
}
|
|
40
40
|
}
|
|
41
|
-
async fetchTokenEndpoint(tokenEndpoint,
|
|
41
|
+
async fetchTokenEndpoint(tokenEndpoint, credentials) {
|
|
42
42
|
const params = new URLSearchParams({
|
|
43
43
|
grant_type: "client_credentials",
|
|
44
|
-
client_id:
|
|
45
|
-
client_secret:
|
|
46
|
-
scope:
|
|
47
|
-
audience:
|
|
44
|
+
client_id: credentials.clientId,
|
|
45
|
+
client_secret: credentials.clientSecret,
|
|
46
|
+
scope: credentials.scope ?? "",
|
|
47
|
+
audience: credentials.audience ?? ""
|
|
48
48
|
});
|
|
49
49
|
const res = await fetch(tokenEndpoint, {
|
|
50
50
|
method: "POST",
|
|
@@ -78,7 +78,7 @@ var ClientCredentialsService = class {
|
|
|
78
78
|
}
|
|
79
79
|
};
|
|
80
80
|
var clientCredentialsService = (configUrl, logger) => ({
|
|
81
|
-
fetchToken: async (
|
|
81
|
+
fetchToken: async (credentials) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials)
|
|
82
82
|
});
|
|
83
83
|
function assertConnected(authContext) {
|
|
84
84
|
if (!authContext) {
|
|
@@ -88,62 +88,49 @@ function assertConnected(authContext) {
|
|
|
88
88
|
}
|
|
89
89
|
return authContext;
|
|
90
90
|
}
|
|
91
|
-
var
|
|
92
|
-
|
|
93
|
-
clientSecret: zod.z.string()
|
|
94
|
-
});
|
|
95
|
-
var passwordAuthSchema = zod.z.object({
|
|
96
|
-
identityProviderId: zod.z.string(),
|
|
97
|
-
type: zod.z.literal("password"),
|
|
98
|
-
issuer: zod.z.string(),
|
|
99
|
-
configUrl: zod.z.string(),
|
|
91
|
+
var authorizationCodeAuthSchema = zod.z.object({
|
|
92
|
+
method: zod.z.literal("authorization_code"),
|
|
100
93
|
audience: zod.z.string(),
|
|
101
|
-
tokenUrl: zod.z.string(),
|
|
102
|
-
grantType: zod.z.string(),
|
|
103
94
|
scope: zod.z.string(),
|
|
104
|
-
clientId: zod.z.string()
|
|
105
|
-
admin: zod.z.optional(credentials)
|
|
95
|
+
clientId: zod.z.string()
|
|
106
96
|
});
|
|
107
|
-
var
|
|
108
|
-
|
|
109
|
-
type: zod.z.literal("implicit"),
|
|
110
|
-
issuer: zod.z.string(),
|
|
111
|
-
configUrl: zod.z.string(),
|
|
97
|
+
var clientCredentialsAuthSchema = zod.z.object({
|
|
98
|
+
method: zod.z.literal("client_credentials"),
|
|
112
99
|
audience: zod.z.string(),
|
|
113
100
|
scope: zod.z.string(),
|
|
114
101
|
clientId: zod.z.string(),
|
|
115
|
-
|
|
116
|
-
});
|
|
117
|
-
var clientCredentialAuthSchema = zod.z.object({
|
|
118
|
-
identityProviderId: zod.z.string(),
|
|
119
|
-
type: zod.z.literal("client_credentials"),
|
|
120
|
-
issuer: zod.z.string(),
|
|
121
|
-
configUrl: zod.z.string(),
|
|
122
|
-
audience: zod.z.string(),
|
|
123
|
-
scope: zod.z.string(),
|
|
124
|
-
clientId: zod.z.string(),
|
|
125
|
-
clientSecret: zod.z.string(),
|
|
126
|
-
admin: zod.z.optional(credentials)
|
|
102
|
+
clientSecret: zod.z.string()
|
|
127
103
|
});
|
|
128
104
|
var selfSignedAuthSchema = zod.z.object({
|
|
129
|
-
|
|
130
|
-
type: zod.z.literal("self_signed"),
|
|
105
|
+
method: zod.z.literal("self_signed"),
|
|
131
106
|
issuer: zod.z.string(),
|
|
132
107
|
audience: zod.z.string(),
|
|
133
108
|
scope: zod.z.string(),
|
|
134
109
|
clientId: zod.z.string(),
|
|
135
|
-
clientSecret: zod.z.string()
|
|
136
|
-
admin: zod.z.optional(credentials)
|
|
110
|
+
clientSecret: zod.z.string()
|
|
137
111
|
});
|
|
138
|
-
var authSchema = zod.z.discriminatedUnion("
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
clientCredentialAuthSchema,
|
|
112
|
+
var authSchema = zod.z.discriminatedUnion("method", [
|
|
113
|
+
authorizationCodeAuthSchema,
|
|
114
|
+
clientCredentialsAuthSchema,
|
|
142
115
|
selfSignedAuthSchema
|
|
143
116
|
]);
|
|
117
|
+
var idpSchema = zod.z.discriminatedUnion("type", [
|
|
118
|
+
zod.z.object({
|
|
119
|
+
id: zod.z.string(),
|
|
120
|
+
type: zod.z.literal("self_signed"),
|
|
121
|
+
issuer: zod.z.string()
|
|
122
|
+
}),
|
|
123
|
+
zod.z.object({
|
|
124
|
+
id: zod.z.string(),
|
|
125
|
+
type: zod.z.literal("oauth"),
|
|
126
|
+
issuer: zod.z.string(),
|
|
127
|
+
configUrl: zod.z.string().url()
|
|
128
|
+
})
|
|
129
|
+
]);
|
|
144
130
|
var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
|
|
145
|
-
constructor(auth, logger, expirySeconds = 3600) {
|
|
131
|
+
constructor(auth, authAdmin, logger, expirySeconds = 3600) {
|
|
146
132
|
this.auth = auth;
|
|
133
|
+
this.authAdmin = authAdmin;
|
|
147
134
|
this.logger = logger;
|
|
148
135
|
this.expirySeconds = expirySeconds;
|
|
149
136
|
}
|
|
@@ -163,27 +150,27 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
|
|
|
163
150
|
}
|
|
164
151
|
async getAdminAccessToken() {
|
|
165
152
|
this.logger.debug("Fetching self-signed admin auth token");
|
|
166
|
-
if (!this.
|
|
153
|
+
if (!this.authAdmin) {
|
|
167
154
|
throw new Error("Admin credentials are not configured");
|
|
168
155
|
}
|
|
169
156
|
return _AuthTokenProviderSelfSigned.fetchToken(
|
|
170
157
|
this.logger,
|
|
171
158
|
{
|
|
172
|
-
clientId: this.
|
|
173
|
-
clientSecret: this.
|
|
174
|
-
scope: this.
|
|
175
|
-
audience: this.
|
|
159
|
+
clientId: this.authAdmin.clientId,
|
|
160
|
+
clientSecret: this.authAdmin.clientSecret,
|
|
161
|
+
scope: this.authAdmin.scope,
|
|
162
|
+
audience: this.authAdmin.audience
|
|
176
163
|
},
|
|
177
|
-
this.
|
|
164
|
+
this.authAdmin.issuer,
|
|
178
165
|
this.expirySeconds
|
|
179
166
|
);
|
|
180
167
|
}
|
|
181
|
-
static async fetchToken(logger,
|
|
182
|
-
const secret = new TextEncoder().encode(
|
|
168
|
+
static async fetchToken(logger, credentials, issuer, expirySeconds = 3600) {
|
|
169
|
+
const secret = new TextEncoder().encode(credentials.clientSecret);
|
|
183
170
|
const now = Math.floor(Date.now() / 1e3);
|
|
184
171
|
const jwt = await new jose.SignJWT({
|
|
185
|
-
sub:
|
|
186
|
-
aud:
|
|
172
|
+
sub: credentials.clientId,
|
|
173
|
+
aud: credentials.audience || "",
|
|
187
174
|
iat: now,
|
|
188
175
|
exp: now + expirySeconds,
|
|
189
176
|
iss: issuer
|
|
@@ -195,52 +182,75 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
|
|
|
195
182
|
|
|
196
183
|
// src/auth-token-provider.ts
|
|
197
184
|
var AuthTokenProvider = class {
|
|
198
|
-
constructor(auth, logger) {
|
|
185
|
+
constructor(idp, auth, adminAuth, logger) {
|
|
186
|
+
this.idp = idp;
|
|
199
187
|
this.auth = auth;
|
|
188
|
+
this.adminAuth = adminAuth;
|
|
200
189
|
this.logger = logger;
|
|
201
190
|
}
|
|
202
191
|
async getUserAccessToken() {
|
|
203
192
|
this.logger.debug("Fetching user auth token");
|
|
204
|
-
if (this.auth.
|
|
193
|
+
if (this.auth.method === "self_signed")
|
|
205
194
|
return new AuthTokenProviderSelfSigned(
|
|
206
195
|
this.auth,
|
|
196
|
+
this.adminAuth,
|
|
207
197
|
this.logger
|
|
208
198
|
).getUserAccessToken();
|
|
209
|
-
if (this.auth.
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
199
|
+
if (this.auth.method === "client_credentials") {
|
|
200
|
+
if (this.idp.type === "oauth")
|
|
201
|
+
return clientCredentialsService(
|
|
202
|
+
this.idp.configUrl,
|
|
203
|
+
this.logger
|
|
204
|
+
).fetchToken({
|
|
205
|
+
clientId: this.auth.clientId,
|
|
206
|
+
clientSecret: this.auth.clientSecret,
|
|
207
|
+
scope: this.auth.scope,
|
|
208
|
+
audience: this.auth.audience
|
|
209
|
+
});
|
|
210
|
+
else {
|
|
211
|
+
throw new Error(
|
|
212
|
+
`IDP type ${this.idp.type} not supported for client_credentials auth`
|
|
213
|
+
);
|
|
214
|
+
}
|
|
215
|
+
}
|
|
219
216
|
throw new Error(
|
|
220
|
-
`Auth
|
|
217
|
+
`Auth method ${this.auth.method} not supported for user access token`
|
|
221
218
|
);
|
|
222
219
|
}
|
|
223
220
|
async getAdminAccessToken() {
|
|
224
221
|
this.logger.debug("Fetching admin auth token");
|
|
225
|
-
if (this.
|
|
222
|
+
if (this.adminAuth.method === "self_signed")
|
|
226
223
|
return new AuthTokenProviderSelfSigned(
|
|
227
224
|
this.auth,
|
|
225
|
+
this.adminAuth,
|
|
228
226
|
this.logger
|
|
229
227
|
).getAdminAccessToken();
|
|
230
|
-
if (!this.
|
|
228
|
+
if (!this.adminAuth) {
|
|
231
229
|
throw new Error(
|
|
232
|
-
`No admin credentials configured for auth type ${this.auth.
|
|
230
|
+
`No admin credentials configured for auth type ${this.auth.method}`
|
|
231
|
+
);
|
|
232
|
+
}
|
|
233
|
+
if (this.adminAuth.method === "client_credentials") {
|
|
234
|
+
if (this.idp.type === "oauth")
|
|
235
|
+
return clientCredentialsService(
|
|
236
|
+
this.idp.configUrl,
|
|
237
|
+
this.logger
|
|
238
|
+
).fetchToken({
|
|
239
|
+
clientId: this.adminAuth.clientId,
|
|
240
|
+
clientSecret: this.adminAuth.clientSecret,
|
|
241
|
+
scope: this.adminAuth.scope,
|
|
242
|
+
audience: this.adminAuth.audience
|
|
243
|
+
});
|
|
244
|
+
else {
|
|
245
|
+
throw new Error(
|
|
246
|
+
`IDP type ${this.idp.type} not supported for client_credentials auth`
|
|
247
|
+
);
|
|
248
|
+
}
|
|
249
|
+
} else {
|
|
250
|
+
throw new Error(
|
|
251
|
+
`Auth method ${this.auth.method} not supported for admin access token`
|
|
233
252
|
);
|
|
234
253
|
}
|
|
235
|
-
return clientCredentialsService(
|
|
236
|
-
this.auth.configUrl,
|
|
237
|
-
this.logger
|
|
238
|
-
).fetchToken({
|
|
239
|
-
clientId: this.auth.admin.clientId,
|
|
240
|
-
clientSecret: this.auth.admin.clientSecret,
|
|
241
|
-
scope: this.auth.scope,
|
|
242
|
-
audience: this.auth.audience
|
|
243
|
-
});
|
|
244
254
|
}
|
|
245
255
|
};
|
|
246
256
|
|
|
@@ -250,5 +260,6 @@ exports.ClientCredentialsService = ClientCredentialsService;
|
|
|
250
260
|
exports.assertConnected = assertConnected;
|
|
251
261
|
exports.authSchema = authSchema;
|
|
252
262
|
exports.clientCredentialsService = clientCredentialsService;
|
|
263
|
+
exports.idpSchema = idpSchema;
|
|
253
264
|
//# sourceMappingURL=index.cjs.map
|
|
254
265
|
//# sourceMappingURL=index.cjs.map
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["credentials","providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAWA,YAAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACXA;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqCA,aAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACAA,YAAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAWA,YAAAA,CAAY,QAAA;AAAA,MACvB,eAAeA,YAAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAOA,aAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAUA,aAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAOA,YAAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAWA,YAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMC,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,WAAA,GAAcC,MAAE,MAAA,CAAO;AAAA,EACzB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqBA,MAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqBA,MAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,0BAAA,GAA6BA,MAAE,MAAA,CAAO;AAAA,EACxC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACpC,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACnD,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACJ,CAAC;ACtDM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,MAAA,EACA,aAAA,GAAwB,IAAA,EAClC;AAHU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,QAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,QAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACAF,YAAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,aAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIG,YAAA,CAAQ;AAAA,MAC1B,KAAKH,YAAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAKA,aAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC5DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,MACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,oBAAA;AACnB,MAAA,OAAO,wBAAA;AAAA,QACH,KAAK,IAAA,CAAK,SAAA;AAAA,QACV,IAAA,CAAK;AAAA,QACP,UAAA,CAAW;AAAA,QACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACvB,CAAA;AAEL,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,UAAA,EAAa,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,oCAAA;AAAA,KAC/B;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAAA,OACnE;AAAA,IACJ;AACA,IAAA,OAAO,wBAAA;AAAA,MACH,KAAK,IAAA,CAAK,SAAA;AAAA,MACV,IAAA,CAAK;AAAA,MACP,UAAA,CAAW;AAAA,MACT,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,MAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,MAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,MACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,KACvB,CAAA;AAAA,EACL;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst credentials = z.object({\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst passwordAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('password'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n tokenUrl: z.string(),\n grantType: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst implicitAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('implicit'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst clientCredentialAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('client_credentials'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nconst selfSignedAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nexport const authSchema = z.discriminatedUnion('type', [\n passwordAuthSchema,\n implicitAuthSchema,\n clientCredentialAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type ImplicitAuth = z.infer<typeof implicitAuthSchema>\nexport type PasswordAuth = z.infer<typeof passwordAuthSchema>\nexport type Credentials = z.infer<typeof credentials>\nexport type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.auth.admin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private auth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.type === 'client_credentials')\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n\n throw new Error(\n `Auth type ${this.auth.type} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.auth.admin) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.type}`\n )\n }\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n }\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8BC,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC7DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
|
package/dist/index.js
CHANGED
|
@@ -14,18 +14,18 @@ var ClientCredentialsService = class {
|
|
|
14
14
|
* @returns The JWT access token as a string.
|
|
15
15
|
* @throws If fetching the token fails or the response is invalid.
|
|
16
16
|
*/
|
|
17
|
-
async fetchToken(
|
|
17
|
+
async fetchToken(credentials) {
|
|
18
18
|
try {
|
|
19
19
|
const oidcConfig = await this.getOIDCConfig(this.configUrl);
|
|
20
20
|
this.logger?.debug({ oidcConfig }, "Fetched OIDC config");
|
|
21
21
|
const res = await this.fetchTokenEndpoint(
|
|
22
22
|
oidcConfig.token_endpoint,
|
|
23
|
-
|
|
23
|
+
credentials
|
|
24
24
|
);
|
|
25
25
|
const json = await res.json();
|
|
26
26
|
this.logger?.info(
|
|
27
27
|
{ response: json },
|
|
28
|
-
`Fetched admin token for clientId: ${
|
|
28
|
+
`Fetched admin token for clientId: ${credentials.clientId}`
|
|
29
29
|
);
|
|
30
30
|
if (!json.access_token) {
|
|
31
31
|
throw new Error("No access_token in token endpoint response");
|
|
@@ -36,13 +36,13 @@ var ClientCredentialsService = class {
|
|
|
36
36
|
throw error;
|
|
37
37
|
}
|
|
38
38
|
}
|
|
39
|
-
async fetchTokenEndpoint(tokenEndpoint,
|
|
39
|
+
async fetchTokenEndpoint(tokenEndpoint, credentials) {
|
|
40
40
|
const params = new URLSearchParams({
|
|
41
41
|
grant_type: "client_credentials",
|
|
42
|
-
client_id:
|
|
43
|
-
client_secret:
|
|
44
|
-
scope:
|
|
45
|
-
audience:
|
|
42
|
+
client_id: credentials.clientId,
|
|
43
|
+
client_secret: credentials.clientSecret,
|
|
44
|
+
scope: credentials.scope ?? "",
|
|
45
|
+
audience: credentials.audience ?? ""
|
|
46
46
|
});
|
|
47
47
|
const res = await fetch(tokenEndpoint, {
|
|
48
48
|
method: "POST",
|
|
@@ -76,7 +76,7 @@ var ClientCredentialsService = class {
|
|
|
76
76
|
}
|
|
77
77
|
};
|
|
78
78
|
var clientCredentialsService = (configUrl, logger) => ({
|
|
79
|
-
fetchToken: async (
|
|
79
|
+
fetchToken: async (credentials) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials)
|
|
80
80
|
});
|
|
81
81
|
function assertConnected(authContext) {
|
|
82
82
|
if (!authContext) {
|
|
@@ -86,62 +86,49 @@ function assertConnected(authContext) {
|
|
|
86
86
|
}
|
|
87
87
|
return authContext;
|
|
88
88
|
}
|
|
89
|
-
var
|
|
90
|
-
|
|
91
|
-
clientSecret: z.string()
|
|
92
|
-
});
|
|
93
|
-
var passwordAuthSchema = z.object({
|
|
94
|
-
identityProviderId: z.string(),
|
|
95
|
-
type: z.literal("password"),
|
|
96
|
-
issuer: z.string(),
|
|
97
|
-
configUrl: z.string(),
|
|
89
|
+
var authorizationCodeAuthSchema = z.object({
|
|
90
|
+
method: z.literal("authorization_code"),
|
|
98
91
|
audience: z.string(),
|
|
99
|
-
tokenUrl: z.string(),
|
|
100
|
-
grantType: z.string(),
|
|
101
92
|
scope: z.string(),
|
|
102
|
-
clientId: z.string()
|
|
103
|
-
admin: z.optional(credentials)
|
|
93
|
+
clientId: z.string()
|
|
104
94
|
});
|
|
105
|
-
var
|
|
106
|
-
|
|
107
|
-
type: z.literal("implicit"),
|
|
108
|
-
issuer: z.string(),
|
|
109
|
-
configUrl: z.string(),
|
|
95
|
+
var clientCredentialsAuthSchema = z.object({
|
|
96
|
+
method: z.literal("client_credentials"),
|
|
110
97
|
audience: z.string(),
|
|
111
98
|
scope: z.string(),
|
|
112
99
|
clientId: z.string(),
|
|
113
|
-
|
|
114
|
-
});
|
|
115
|
-
var clientCredentialAuthSchema = z.object({
|
|
116
|
-
identityProviderId: z.string(),
|
|
117
|
-
type: z.literal("client_credentials"),
|
|
118
|
-
issuer: z.string(),
|
|
119
|
-
configUrl: z.string(),
|
|
120
|
-
audience: z.string(),
|
|
121
|
-
scope: z.string(),
|
|
122
|
-
clientId: z.string(),
|
|
123
|
-
clientSecret: z.string(),
|
|
124
|
-
admin: z.optional(credentials)
|
|
100
|
+
clientSecret: z.string()
|
|
125
101
|
});
|
|
126
102
|
var selfSignedAuthSchema = z.object({
|
|
127
|
-
|
|
128
|
-
type: z.literal("self_signed"),
|
|
103
|
+
method: z.literal("self_signed"),
|
|
129
104
|
issuer: z.string(),
|
|
130
105
|
audience: z.string(),
|
|
131
106
|
scope: z.string(),
|
|
132
107
|
clientId: z.string(),
|
|
133
|
-
clientSecret: z.string()
|
|
134
|
-
admin: z.optional(credentials)
|
|
108
|
+
clientSecret: z.string()
|
|
135
109
|
});
|
|
136
|
-
var authSchema = z.discriminatedUnion("
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
clientCredentialAuthSchema,
|
|
110
|
+
var authSchema = z.discriminatedUnion("method", [
|
|
111
|
+
authorizationCodeAuthSchema,
|
|
112
|
+
clientCredentialsAuthSchema,
|
|
140
113
|
selfSignedAuthSchema
|
|
141
114
|
]);
|
|
115
|
+
var idpSchema = z.discriminatedUnion("type", [
|
|
116
|
+
z.object({
|
|
117
|
+
id: z.string(),
|
|
118
|
+
type: z.literal("self_signed"),
|
|
119
|
+
issuer: z.string()
|
|
120
|
+
}),
|
|
121
|
+
z.object({
|
|
122
|
+
id: z.string(),
|
|
123
|
+
type: z.literal("oauth"),
|
|
124
|
+
issuer: z.string(),
|
|
125
|
+
configUrl: z.string().url()
|
|
126
|
+
})
|
|
127
|
+
]);
|
|
142
128
|
var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
|
|
143
|
-
constructor(auth, logger, expirySeconds = 3600) {
|
|
129
|
+
constructor(auth, authAdmin, logger, expirySeconds = 3600) {
|
|
144
130
|
this.auth = auth;
|
|
131
|
+
this.authAdmin = authAdmin;
|
|
145
132
|
this.logger = logger;
|
|
146
133
|
this.expirySeconds = expirySeconds;
|
|
147
134
|
}
|
|
@@ -161,27 +148,27 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
|
|
|
161
148
|
}
|
|
162
149
|
async getAdminAccessToken() {
|
|
163
150
|
this.logger.debug("Fetching self-signed admin auth token");
|
|
164
|
-
if (!this.
|
|
151
|
+
if (!this.authAdmin) {
|
|
165
152
|
throw new Error("Admin credentials are not configured");
|
|
166
153
|
}
|
|
167
154
|
return _AuthTokenProviderSelfSigned.fetchToken(
|
|
168
155
|
this.logger,
|
|
169
156
|
{
|
|
170
|
-
clientId: this.
|
|
171
|
-
clientSecret: this.
|
|
172
|
-
scope: this.
|
|
173
|
-
audience: this.
|
|
157
|
+
clientId: this.authAdmin.clientId,
|
|
158
|
+
clientSecret: this.authAdmin.clientSecret,
|
|
159
|
+
scope: this.authAdmin.scope,
|
|
160
|
+
audience: this.authAdmin.audience
|
|
174
161
|
},
|
|
175
|
-
this.
|
|
162
|
+
this.authAdmin.issuer,
|
|
176
163
|
this.expirySeconds
|
|
177
164
|
);
|
|
178
165
|
}
|
|
179
|
-
static async fetchToken(logger,
|
|
180
|
-
const secret = new TextEncoder().encode(
|
|
166
|
+
static async fetchToken(logger, credentials, issuer, expirySeconds = 3600) {
|
|
167
|
+
const secret = new TextEncoder().encode(credentials.clientSecret);
|
|
181
168
|
const now = Math.floor(Date.now() / 1e3);
|
|
182
169
|
const jwt = await new SignJWT({
|
|
183
|
-
sub:
|
|
184
|
-
aud:
|
|
170
|
+
sub: credentials.clientId,
|
|
171
|
+
aud: credentials.audience || "",
|
|
185
172
|
iat: now,
|
|
186
173
|
exp: now + expirySeconds,
|
|
187
174
|
iss: issuer
|
|
@@ -193,55 +180,78 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
|
|
|
193
180
|
|
|
194
181
|
// src/auth-token-provider.ts
|
|
195
182
|
var AuthTokenProvider = class {
|
|
196
|
-
constructor(auth, logger) {
|
|
183
|
+
constructor(idp, auth, adminAuth, logger) {
|
|
184
|
+
this.idp = idp;
|
|
197
185
|
this.auth = auth;
|
|
186
|
+
this.adminAuth = adminAuth;
|
|
198
187
|
this.logger = logger;
|
|
199
188
|
}
|
|
200
189
|
async getUserAccessToken() {
|
|
201
190
|
this.logger.debug("Fetching user auth token");
|
|
202
|
-
if (this.auth.
|
|
191
|
+
if (this.auth.method === "self_signed")
|
|
203
192
|
return new AuthTokenProviderSelfSigned(
|
|
204
193
|
this.auth,
|
|
194
|
+
this.adminAuth,
|
|
205
195
|
this.logger
|
|
206
196
|
).getUserAccessToken();
|
|
207
|
-
if (this.auth.
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
197
|
+
if (this.auth.method === "client_credentials") {
|
|
198
|
+
if (this.idp.type === "oauth")
|
|
199
|
+
return clientCredentialsService(
|
|
200
|
+
this.idp.configUrl,
|
|
201
|
+
this.logger
|
|
202
|
+
).fetchToken({
|
|
203
|
+
clientId: this.auth.clientId,
|
|
204
|
+
clientSecret: this.auth.clientSecret,
|
|
205
|
+
scope: this.auth.scope,
|
|
206
|
+
audience: this.auth.audience
|
|
207
|
+
});
|
|
208
|
+
else {
|
|
209
|
+
throw new Error(
|
|
210
|
+
`IDP type ${this.idp.type} not supported for client_credentials auth`
|
|
211
|
+
);
|
|
212
|
+
}
|
|
213
|
+
}
|
|
217
214
|
throw new Error(
|
|
218
|
-
`Auth
|
|
215
|
+
`Auth method ${this.auth.method} not supported for user access token`
|
|
219
216
|
);
|
|
220
217
|
}
|
|
221
218
|
async getAdminAccessToken() {
|
|
222
219
|
this.logger.debug("Fetching admin auth token");
|
|
223
|
-
if (this.
|
|
220
|
+
if (this.adminAuth.method === "self_signed")
|
|
224
221
|
return new AuthTokenProviderSelfSigned(
|
|
225
222
|
this.auth,
|
|
223
|
+
this.adminAuth,
|
|
226
224
|
this.logger
|
|
227
225
|
).getAdminAccessToken();
|
|
228
|
-
if (!this.
|
|
226
|
+
if (!this.adminAuth) {
|
|
229
227
|
throw new Error(
|
|
230
|
-
`No admin credentials configured for auth type ${this.auth.
|
|
228
|
+
`No admin credentials configured for auth type ${this.auth.method}`
|
|
229
|
+
);
|
|
230
|
+
}
|
|
231
|
+
if (this.adminAuth.method === "client_credentials") {
|
|
232
|
+
if (this.idp.type === "oauth")
|
|
233
|
+
return clientCredentialsService(
|
|
234
|
+
this.idp.configUrl,
|
|
235
|
+
this.logger
|
|
236
|
+
).fetchToken({
|
|
237
|
+
clientId: this.adminAuth.clientId,
|
|
238
|
+
clientSecret: this.adminAuth.clientSecret,
|
|
239
|
+
scope: this.adminAuth.scope,
|
|
240
|
+
audience: this.adminAuth.audience
|
|
241
|
+
});
|
|
242
|
+
else {
|
|
243
|
+
throw new Error(
|
|
244
|
+
`IDP type ${this.idp.type} not supported for client_credentials auth`
|
|
245
|
+
);
|
|
246
|
+
}
|
|
247
|
+
} else {
|
|
248
|
+
throw new Error(
|
|
249
|
+
`Auth method ${this.auth.method} not supported for admin access token`
|
|
231
250
|
);
|
|
232
251
|
}
|
|
233
|
-
return clientCredentialsService(
|
|
234
|
-
this.auth.configUrl,
|
|
235
|
-
this.logger
|
|
236
|
-
).fetchToken({
|
|
237
|
-
clientId: this.auth.admin.clientId,
|
|
238
|
-
clientSecret: this.auth.admin.clientSecret,
|
|
239
|
-
scope: this.auth.scope,
|
|
240
|
-
audience: this.auth.audience
|
|
241
|
-
});
|
|
242
252
|
}
|
|
243
253
|
};
|
|
244
254
|
|
|
245
|
-
export { AuthTokenProvider, AuthTokenProviderSelfSigned, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService };
|
|
255
|
+
export { AuthTokenProvider, AuthTokenProviderSelfSigned, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService, idpSchema };
|
|
246
256
|
//# sourceMappingURL=index.js.map
|
|
247
257
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["credentials"],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAWA,YAAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACXA;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqCA,aAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACAA,YAAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAWA,YAAAA,CAAY,QAAA;AAAA,MACvB,eAAeA,YAAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAOA,aAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAUA,aAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAOA,YAAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAWA,YAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACzB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqB,EAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqB,EAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EACxC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACpC,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACnD,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACJ,CAAC;ACtDM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,MAAA,EACA,aAAA,GAAwB,IAAA,EAClC;AAHU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,QAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,QAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACAA,YAAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,aAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAKA,YAAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAKA,aAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC5DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,MACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,oBAAA;AACnB,MAAA,OAAO,wBAAA;AAAA,QACH,KAAK,IAAA,CAAK,SAAA;AAAA,QACV,IAAA,CAAK;AAAA,QACP,UAAA,CAAW;AAAA,QACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACvB,CAAA;AAEL,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,UAAA,EAAa,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,oCAAA;AAAA,KAC/B;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAAA,OACnE;AAAA,IACJ;AACA,IAAA,OAAO,wBAAA;AAAA,MACH,KAAK,IAAA,CAAK,SAAA;AAAA,MACV,IAAA,CAAK;AAAA,MACP,UAAA,CAAW;AAAA,MACT,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,MAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,MAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,MACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,KACvB,CAAA;AAAA,EACL;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst credentials = z.object({\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst passwordAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('password'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n tokenUrl: z.string(),\n grantType: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst implicitAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('implicit'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst clientCredentialAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('client_credentials'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nconst selfSignedAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nexport const authSchema = z.discriminatedUnion('type', [\n passwordAuthSchema,\n implicitAuthSchema,\n clientCredentialAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type ImplicitAuth = z.infer<typeof implicitAuthSchema>\nexport type PasswordAuth = z.infer<typeof passwordAuthSchema>\nexport type Credentials = z.infer<typeof credentials>\nexport type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.auth.admin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private auth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.type === 'client_credentials')\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n\n throw new Error(\n `Auth type ${this.auth.type} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.auth.admin) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.type}`\n )\n }\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n }\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":[],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC7DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@canton-network/core-wallet-auth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.12.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "Provides authentication middleware and user management for the Wallet Gateway",
|
|
6
6
|
"repository": "github:hyperledger-labs/splice-wallet-kernel",
|
|
@@ -37,8 +37,8 @@
|
|
|
37
37
|
"typescript": "^5.8.3"
|
|
38
38
|
},
|
|
39
39
|
"dependencies": {
|
|
40
|
-
"@canton-network/core-rpc-errors": "^0.
|
|
41
|
-
"@canton-network/core-types": "^0.
|
|
40
|
+
"@canton-network/core-rpc-errors": "^0.8.0",
|
|
41
|
+
"@canton-network/core-types": "^0.11.0",
|
|
42
42
|
"jose": "^5.10.0",
|
|
43
43
|
"zod": "^3.25.64"
|
|
44
44
|
},
|