@canton-network/core-wallet-auth 0.11.0 → 0.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/auth-token-provider-self-signed.d.ts +2 -1
  2. package/dist/auth-token-provider-self-signed.d.ts.map +1 -1
  3. package/dist/auth-token-provider.d.ts +4 -2
  4. package/dist/auth-token-provider.d.ts.map +1 -1
  5. package/dist/config/schema.d.ts +28 -348
  6. package/dist/config/schema.d.ts.map +1 -1
  7. package/dist/index.cjs +94 -83
  8. package/dist/index.cjs.map +1 -1
  9. package/dist/index.js +94 -84
  10. package/dist/index.js.map +1 -1
  11. package/package.json +4 -4
package/dist/auth-token-provider-self-signed.d.ts CHANGED
@@ -3,9 +3,10 @@ import { AccessTokenProvider, ClientCredentials } from './auth-service.js';
3
3
  import { SelfSignedAuth } from './config/schema.js';
4
4
  export declare class AuthTokenProviderSelfSigned implements AccessTokenProvider {
5
5
  private auth;
6
+ private authAdmin;
6
7
  private logger;
7
8
  private expirySeconds;
8
- constructor(auth: SelfSignedAuth, logger: Logger, expirySeconds?: number);
9
+ constructor(auth: SelfSignedAuth, authAdmin: SelfSignedAuth, logger: Logger, expirySeconds?: number);
9
10
  getUserAccessToken(): Promise<string>;
10
11
  getAdminAccessToken(): Promise<string>;
11
12
  static fetchToken(logger: Logger, credentials: ClientCredentials, issuer: string, expirySeconds?: number): Promise<string>;
package/dist/auth-token-provider-self-signed.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-token-provider-self-signed.d.ts","sourceRoot":"","sources":["../src/auth-token-provider-self-signed.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGnD,qBAAa,2BAA4B,YAAW,mBAAmB;IAE/D,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,aAAa;gBAFb,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa;IAGlC,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAerC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;WAkB/B,UAAU,CACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,iBAAiB,EAC9B,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa,GAC7B,OAAO,CAAC,MAAM,CAAC;CAgBrB"}
1
+ {"version":3,"file":"auth-token-provider-self-signed.d.ts","sourceRoot":"","sources":["../src/auth-token-provider-self-signed.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGnD,qBAAa,2BAA4B,YAAW,mBAAmB;IAE/D,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,aAAa;gBAHb,IAAI,EAAE,cAAc,EACpB,SAAS,EAAE,cAAc,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa;IAGlC,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAerC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;WAkB/B,UAAU,CACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,iBAAiB,EAC9B,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,MAAa,GAC7B,OAAO,CAAC,MAAM,CAAC;CAgBrB"}
package/dist/auth-token-provider.d.ts CHANGED
@@ -1,10 +1,12 @@
1
1
  import { Logger } from '@canton-network/core-types';
2
2
  import { AccessTokenProvider } from './auth-service.js';
3
- import { Auth } from './config/schema.js';
3
+ import { Auth, Idp } from './config/schema.js';
4
4
  export declare class AuthTokenProvider implements AccessTokenProvider {
5
+ private idp;
5
6
  private auth;
7
+ private adminAuth;
6
8
  private logger;
7
- constructor(auth: Auth, logger: Logger);
9
+ constructor(idp: Idp, auth: Auth, adminAuth: Auth, logger: Logger);
8
10
  getUserAccessToken(): Promise<string>;
9
11
  getAdminAccessToken(): Promise<string>;
10
12
  }
package/dist/auth-token-provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAIzC,qBAAa,iBAAkB,YAAW,mBAAmB;IAErD,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,MAAM;gBADN,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM;IAGpB,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAwBrC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;CAuB/C"}
1
+ {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAkB,MAAM,oBAAoB,CAAA;AAI9D,qBAAa,iBAAkB,YAAW,mBAAmB;IAErD,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,MAAM;gBAHN,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,SAAS,EAAE,IAAI,EACf,MAAM,EAAE,MAAM;IAGpB,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAgCrC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC;CAqC/C"}
package/dist/config/schema.d.ts CHANGED
@@ -1,378 +1,58 @@
1
1
  import { z } from 'zod';
2
- declare const credentials: z.ZodObject<{
3
- clientId: z.ZodString;
4
- clientSecret: z.ZodString;
5
- }, "strip", z.ZodTypeAny, {
6
- clientId: string;
7
- clientSecret: string;
8
- }, {
9
- clientId: string;
10
- clientSecret: string;
11
- }>;
12
- declare const passwordAuthSchema: z.ZodObject<{
13
- identityProviderId: z.ZodString;
14
- type: z.ZodLiteral<"password">;
15
- issuer: z.ZodString;
16
- configUrl: z.ZodString;
2
+ declare const authorizationCodeAuthSchema: z.ZodObject<{
3
+ method: z.ZodLiteral<"authorization_code">;
17
4
  audience: z.ZodString;
18
- tokenUrl: z.ZodString;
19
- grantType: z.ZodString;
20
5
  scope: z.ZodString;
21
6
  clientId: z.ZodString;
22
- admin: z.ZodOptional<z.ZodObject<{
23
- clientId: z.ZodString;
24
- clientSecret: z.ZodString;
25
- }, "strip", z.ZodTypeAny, {
26
- clientId: string;
27
- clientSecret: string;
28
- }, {
29
- clientId: string;
30
- clientSecret: string;
31
- }>>;
32
- }, "strip", z.ZodTypeAny, {
33
- clientId: string;
34
- type: "password";
35
- identityProviderId: string;
36
- issuer: string;
37
- configUrl: string;
38
- audience: string;
39
- tokenUrl: string;
40
- grantType: string;
41
- scope: string;
42
- admin?: {
43
- clientId: string;
44
- clientSecret: string;
45
- } | undefined;
46
- }, {
47
- clientId: string;
48
- type: "password";
49
- identityProviderId: string;
50
- issuer: string;
51
- configUrl: string;
52
- audience: string;
53
- tokenUrl: string;
54
- grantType: string;
55
- scope: string;
56
- admin?: {
57
- clientId: string;
58
- clientSecret: string;
59
- } | undefined;
60
- }>;
61
- declare const implicitAuthSchema: z.ZodObject<{
62
- identityProviderId: z.ZodString;
63
- type: z.ZodLiteral<"implicit">;
64
- issuer: z.ZodString;
65
- configUrl: z.ZodString;
66
- audience: z.ZodString;
67
- scope: z.ZodString;
68
- clientId: z.ZodString;
69
- admin: z.ZodOptional<z.ZodObject<{
70
- clientId: z.ZodString;
71
- clientSecret: z.ZodString;
72
- }, "strip", z.ZodTypeAny, {
73
- clientId: string;
74
- clientSecret: string;
75
- }, {
76
- clientId: string;
77
- clientSecret: string;
78
- }>>;
79
- }, "strip", z.ZodTypeAny, {
80
- clientId: string;
81
- type: "implicit";
82
- identityProviderId: string;
83
- issuer: string;
84
- configUrl: string;
85
- audience: string;
86
- scope: string;
87
- admin?: {
88
- clientId: string;
89
- clientSecret: string;
90
- } | undefined;
91
- }, {
92
- clientId: string;
93
- type: "implicit";
94
- identityProviderId: string;
95
- issuer: string;
96
- configUrl: string;
97
- audience: string;
98
- scope: string;
99
- admin?: {
100
- clientId: string;
101
- clientSecret: string;
102
- } | undefined;
103
- }>;
104
- declare const clientCredentialAuthSchema: z.ZodObject<{
105
- identityProviderId: z.ZodString;
106
- type: z.ZodLiteral<"client_credentials">;
107
- issuer: z.ZodString;
108
- configUrl: z.ZodString;
7
+ }, z.core.$strip>;
8
+ declare const clientCredentialsAuthSchema: z.ZodObject<{
9
+ method: z.ZodLiteral<"client_credentials">;
109
10
  audience: z.ZodString;
110
11
  scope: z.ZodString;
111
12
  clientId: z.ZodString;
112
13
  clientSecret: z.ZodString;
113
- admin: z.ZodOptional<z.ZodObject<{
114
- clientId: z.ZodString;
115
- clientSecret: z.ZodString;
116
- }, "strip", z.ZodTypeAny, {
117
- clientId: string;
118
- clientSecret: string;
119
- }, {
120
- clientId: string;
121
- clientSecret: string;
122
- }>>;
123
- }, "strip", z.ZodTypeAny, {
124
- clientId: string;
125
- clientSecret: string;
126
- type: "client_credentials";
127
- identityProviderId: string;
128
- issuer: string;
129
- configUrl: string;
130
- audience: string;
131
- scope: string;
132
- admin?: {
133
- clientId: string;
134
- clientSecret: string;
135
- } | undefined;
136
- }, {
137
- clientId: string;
138
- clientSecret: string;
139
- type: "client_credentials";
140
- identityProviderId: string;
141
- issuer: string;
142
- configUrl: string;
143
- audience: string;
144
- scope: string;
145
- admin?: {
146
- clientId: string;
147
- clientSecret: string;
148
- } | undefined;
149
- }>;
14
+ }, z.core.$strip>;
150
15
  declare const selfSignedAuthSchema: z.ZodObject<{
151
- identityProviderId: z.ZodString;
152
- type: z.ZodLiteral<"self_signed">;
16
+ method: z.ZodLiteral<"self_signed">;
153
17
  issuer: z.ZodString;
154
18
  audience: z.ZodString;
155
19
  scope: z.ZodString;
156
20
  clientId: z.ZodString;
157
21
  clientSecret: z.ZodString;
158
- admin: z.ZodOptional<z.ZodObject<{
159
- clientId: z.ZodString;
160
- clientSecret: z.ZodString;
161
- }, "strip", z.ZodTypeAny, {
162
- clientId: string;
163
- clientSecret: string;
164
- }, {
165
- clientId: string;
166
- clientSecret: string;
167
- }>>;
168
- }, "strip", z.ZodTypeAny, {
169
- clientId: string;
170
- clientSecret: string;
171
- type: "self_signed";
172
- identityProviderId: string;
173
- issuer: string;
174
- audience: string;
175
- scope: string;
176
- admin?: {
177
- clientId: string;
178
- clientSecret: string;
179
- } | undefined;
180
- }, {
181
- clientId: string;
182
- clientSecret: string;
183
- type: "self_signed";
184
- identityProviderId: string;
185
- issuer: string;
186
- audience: string;
187
- scope: string;
188
- admin?: {
189
- clientId: string;
190
- clientSecret: string;
191
- } | undefined;
192
- }>;
193
- export declare const authSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
194
- identityProviderId: z.ZodString;
195
- type: z.ZodLiteral<"password">;
196
- issuer: z.ZodString;
197
- configUrl: z.ZodString;
22
+ }, z.core.$strip>;
23
+ export declare const authSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
24
+ method: z.ZodLiteral<"authorization_code">;
198
25
  audience: z.ZodString;
199
- tokenUrl: z.ZodString;
200
- grantType: z.ZodString;
201
26
  scope: z.ZodString;
202
27
  clientId: z.ZodString;
203
- admin: z.ZodOptional<z.ZodObject<{
204
- clientId: z.ZodString;
205
- clientSecret: z.ZodString;
206
- }, "strip", z.ZodTypeAny, {
207
- clientId: string;
208
- clientSecret: string;
209
- }, {
210
- clientId: string;
211
- clientSecret: string;
212
- }>>;
213
- }, "strip", z.ZodTypeAny, {
214
- clientId: string;
215
- type: "password";
216
- identityProviderId: string;
217
- issuer: string;
218
- configUrl: string;
219
- audience: string;
220
- tokenUrl: string;
221
- grantType: string;
222
- scope: string;
223
- admin?: {
224
- clientId: string;
225
- clientSecret: string;
226
- } | undefined;
227
- }, {
228
- clientId: string;
229
- type: "password";
230
- identityProviderId: string;
231
- issuer: string;
232
- configUrl: string;
233
- audience: string;
234
- tokenUrl: string;
235
- grantType: string;
236
- scope: string;
237
- admin?: {
238
- clientId: string;
239
- clientSecret: string;
240
- } | undefined;
241
- }>, z.ZodObject<{
242
- identityProviderId: z.ZodString;
243
- type: z.ZodLiteral<"implicit">;
244
- issuer: z.ZodString;
245
- configUrl: z.ZodString;
246
- audience: z.ZodString;
247
- scope: z.ZodString;
248
- clientId: z.ZodString;
249
- admin: z.ZodOptional<z.ZodObject<{
250
- clientId: z.ZodString;
251
- clientSecret: z.ZodString;
252
- }, "strip", z.ZodTypeAny, {
253
- clientId: string;
254
- clientSecret: string;
255
- }, {
256
- clientId: string;
257
- clientSecret: string;
258
- }>>;
259
- }, "strip", z.ZodTypeAny, {
260
- clientId: string;
261
- type: "implicit";
262
- identityProviderId: string;
263
- issuer: string;
264
- configUrl: string;
265
- audience: string;
266
- scope: string;
267
- admin?: {
268
- clientId: string;
269
- clientSecret: string;
270
- } | undefined;
271
- }, {
272
- clientId: string;
273
- type: "implicit";
274
- identityProviderId: string;
275
- issuer: string;
276
- configUrl: string;
277
- audience: string;
278
- scope: string;
279
- admin?: {
280
- clientId: string;
281
- clientSecret: string;
282
- } | undefined;
283
- }>, z.ZodObject<{
284
- identityProviderId: z.ZodString;
285
- type: z.ZodLiteral<"client_credentials">;
286
- issuer: z.ZodString;
287
- configUrl: z.ZodString;
28
+ }, z.core.$strip>, z.ZodObject<{
29
+ method: z.ZodLiteral<"client_credentials">;
288
30
  audience: z.ZodString;
289
31
  scope: z.ZodString;
290
32
  clientId: z.ZodString;
291
33
  clientSecret: z.ZodString;
292
- admin: z.ZodOptional<z.ZodObject<{
293
- clientId: z.ZodString;
294
- clientSecret: z.ZodString;
295
- }, "strip", z.ZodTypeAny, {
296
- clientId: string;
297
- clientSecret: string;
298
- }, {
299
- clientId: string;
300
- clientSecret: string;
301
- }>>;
302
- }, "strip", z.ZodTypeAny, {
303
- clientId: string;
304
- clientSecret: string;
305
- type: "client_credentials";
306
- identityProviderId: string;
307
- issuer: string;
308
- configUrl: string;
309
- audience: string;
310
- scope: string;
311
- admin?: {
312
- clientId: string;
313
- clientSecret: string;
314
- } | undefined;
315
- }, {
316
- clientId: string;
317
- clientSecret: string;
318
- type: "client_credentials";
319
- identityProviderId: string;
320
- issuer: string;
321
- configUrl: string;
322
- audience: string;
323
- scope: string;
324
- admin?: {
325
- clientId: string;
326
- clientSecret: string;
327
- } | undefined;
328
- }>, z.ZodObject<{
329
- identityProviderId: z.ZodString;
330
- type: z.ZodLiteral<"self_signed">;
34
+ }, z.core.$strip>, z.ZodObject<{
35
+ method: z.ZodLiteral<"self_signed">;
331
36
  issuer: z.ZodString;
332
37
  audience: z.ZodString;
333
38
  scope: z.ZodString;
334
39
  clientId: z.ZodString;
335
40
  clientSecret: z.ZodString;
336
- admin: z.ZodOptional<z.ZodObject<{
337
- clientId: z.ZodString;
338
- clientSecret: z.ZodString;
339
- }, "strip", z.ZodTypeAny, {
340
- clientId: string;
341
- clientSecret: string;
342
- }, {
343
- clientId: string;
344
- clientSecret: string;
345
- }>>;
346
- }, "strip", z.ZodTypeAny, {
347
- clientId: string;
348
- clientSecret: string;
349
- type: "self_signed";
350
- identityProviderId: string;
351
- issuer: string;
352
- audience: string;
353
- scope: string;
354
- admin?: {
355
- clientId: string;
356
- clientSecret: string;
357
- } | undefined;
358
- }, {
359
- clientId: string;
360
- clientSecret: string;
361
- type: "self_signed";
362
- identityProviderId: string;
363
- issuer: string;
364
- audience: string;
365
- scope: string;
366
- admin?: {
367
- clientId: string;
368
- clientSecret: string;
369
- } | undefined;
370
- }>]>;
41
+ }, z.core.$strip>], "method">;
371
42
  export type Auth = z.infer<typeof authSchema>;
372
- export type ImplicitAuth = z.infer<typeof implicitAuthSchema>;
373
- export type PasswordAuth = z.infer<typeof passwordAuthSchema>;
374
- export type Credentials = z.infer<typeof credentials>;
375
- export type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>;
43
+ export type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>;
44
+ export type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>;
376
45
  export type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>;
46
+ export declare const idpSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
47
+ id: z.ZodString;
48
+ type: z.ZodLiteral<"self_signed">;
49
+ issuer: z.ZodString;
50
+ }, z.core.$strip>, z.ZodObject<{
51
+ id: z.ZodString;
52
+ type: z.ZodLiteral<"oauth">;
53
+ issuer: z.ZodString;
54
+ configUrl: z.ZodString;
55
+ }, z.core.$strip>], "type">;
56
+ export type Idp = z.infer<typeof idpSchema>;
377
57
  export {};
378
58
  //# sourceMappingURL=schema.d.ts.map
package/dist/config/schema.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,WAAW;;;;;;;;;EAGf,CAAA;AAEF,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWtB,CAAA;AAEF,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAStB,CAAA;AAEF,QAAA,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU9B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASxB,CAAA;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAKrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAA;AACrD,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAC7E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}
1
+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,2BAA2B;;;;;iBAK/B,CAAA;AAEF,QAAA,MAAM,2BAA2B;;;;;;iBAM/B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;iBAOxB,CAAA;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;6BAIrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,SAAS;;;;;;;;;2BAYpB,CAAA;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA"}
package/dist/index.cjs CHANGED
@@ -16,18 +16,18 @@ var ClientCredentialsService = class {
16
16
  * @returns The JWT access token as a string.
17
17
  * @throws If fetching the token fails or the response is invalid.
18
18
  */
19
- async fetchToken(credentials2) {
19
+ async fetchToken(credentials) {
20
20
  try {
21
21
  const oidcConfig = await this.getOIDCConfig(this.configUrl);
22
22
  this.logger?.debug({ oidcConfig }, "Fetched OIDC config");
23
23
  const res = await this.fetchTokenEndpoint(
24
24
  oidcConfig.token_endpoint,
25
- credentials2
25
+ credentials
26
26
  );
27
27
  const json = await res.json();
28
28
  this.logger?.info(
29
29
  { response: json },
30
- `Fetched admin token for clientId: ${credentials2.clientId}`
30
+ `Fetched admin token for clientId: ${credentials.clientId}`
31
31
  );
32
32
  if (!json.access_token) {
33
33
  throw new Error("No access_token in token endpoint response");
@@ -38,13 +38,13 @@ var ClientCredentialsService = class {
38
38
  throw error;
39
39
  }
40
40
  }
41
- async fetchTokenEndpoint(tokenEndpoint, credentials2) {
41
+ async fetchTokenEndpoint(tokenEndpoint, credentials) {
42
42
  const params = new URLSearchParams({
43
43
  grant_type: "client_credentials",
44
- client_id: credentials2.clientId,
45
- client_secret: credentials2.clientSecret,
46
- scope: credentials2.scope ?? "",
47
- audience: credentials2.audience ?? ""
44
+ client_id: credentials.clientId,
45
+ client_secret: credentials.clientSecret,
46
+ scope: credentials.scope ?? "",
47
+ audience: credentials.audience ?? ""
48
48
  });
49
49
  const res = await fetch(tokenEndpoint, {
50
50
  method: "POST",
@@ -78,7 +78,7 @@ var ClientCredentialsService = class {
78
78
  }
79
79
  };
80
80
  var clientCredentialsService = (configUrl, logger) => ({
81
- fetchToken: async (credentials2) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials2)
81
+ fetchToken: async (credentials) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials)
82
82
  });
83
83
  function assertConnected(authContext) {
84
84
  if (!authContext) {
@@ -88,62 +88,49 @@ function assertConnected(authContext) {
88
88
  }
89
89
  return authContext;
90
90
  }
91
- var credentials = zod.z.object({
92
- clientId: zod.z.string(),
93
- clientSecret: zod.z.string()
94
- });
95
- var passwordAuthSchema = zod.z.object({
96
- identityProviderId: zod.z.string(),
97
- type: zod.z.literal("password"),
98
- issuer: zod.z.string(),
99
- configUrl: zod.z.string(),
91
+ var authorizationCodeAuthSchema = zod.z.object({
92
+ method: zod.z.literal("authorization_code"),
100
93
  audience: zod.z.string(),
101
- tokenUrl: zod.z.string(),
102
- grantType: zod.z.string(),
103
94
  scope: zod.z.string(),
104
- clientId: zod.z.string(),
105
- admin: zod.z.optional(credentials)
95
+ clientId: zod.z.string()
106
96
  });
107
- var implicitAuthSchema = zod.z.object({
108
- identityProviderId: zod.z.string(),
109
- type: zod.z.literal("implicit"),
110
- issuer: zod.z.string(),
111
- configUrl: zod.z.string(),
97
+ var clientCredentialsAuthSchema = zod.z.object({
98
+ method: zod.z.literal("client_credentials"),
112
99
  audience: zod.z.string(),
113
100
  scope: zod.z.string(),
114
101
  clientId: zod.z.string(),
115
- admin: zod.z.optional(credentials)
116
- });
117
- var clientCredentialAuthSchema = zod.z.object({
118
- identityProviderId: zod.z.string(),
119
- type: zod.z.literal("client_credentials"),
120
- issuer: zod.z.string(),
121
- configUrl: zod.z.string(),
122
- audience: zod.z.string(),
123
- scope: zod.z.string(),
124
- clientId: zod.z.string(),
125
- clientSecret: zod.z.string(),
126
- admin: zod.z.optional(credentials)
102
+ clientSecret: zod.z.string()
127
103
  });
128
104
  var selfSignedAuthSchema = zod.z.object({
129
- identityProviderId: zod.z.string(),
130
- type: zod.z.literal("self_signed"),
105
+ method: zod.z.literal("self_signed"),
131
106
  issuer: zod.z.string(),
132
107
  audience: zod.z.string(),
133
108
  scope: zod.z.string(),
134
109
  clientId: zod.z.string(),
135
- clientSecret: zod.z.string(),
136
- admin: zod.z.optional(credentials)
110
+ clientSecret: zod.z.string()
137
111
  });
138
- var authSchema = zod.z.discriminatedUnion("type", [
139
- passwordAuthSchema,
140
- implicitAuthSchema,
141
- clientCredentialAuthSchema,
112
+ var authSchema = zod.z.discriminatedUnion("method", [
113
+ authorizationCodeAuthSchema,
114
+ clientCredentialsAuthSchema,
142
115
  selfSignedAuthSchema
143
116
  ]);
117
+ var idpSchema = zod.z.discriminatedUnion("type", [
118
+ zod.z.object({
119
+ id: zod.z.string(),
120
+ type: zod.z.literal("self_signed"),
121
+ issuer: zod.z.string()
122
+ }),
123
+ zod.z.object({
124
+ id: zod.z.string(),
125
+ type: zod.z.literal("oauth"),
126
+ issuer: zod.z.string(),
127
+ configUrl: zod.z.string().url()
128
+ })
129
+ ]);
144
130
  var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
145
- constructor(auth, logger, expirySeconds = 3600) {
131
+ constructor(auth, authAdmin, logger, expirySeconds = 3600) {
146
132
  this.auth = auth;
133
+ this.authAdmin = authAdmin;
147
134
  this.logger = logger;
148
135
  this.expirySeconds = expirySeconds;
149
136
  }
@@ -163,27 +150,27 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
163
150
  }
164
151
  async getAdminAccessToken() {
165
152
  this.logger.debug("Fetching self-signed admin auth token");
166
- if (!this.auth.admin) {
153
+ if (!this.authAdmin) {
167
154
  throw new Error("Admin credentials are not configured");
168
155
  }
169
156
  return _AuthTokenProviderSelfSigned.fetchToken(
170
157
  this.logger,
171
158
  {
172
- clientId: this.auth.admin.clientId,
173
- clientSecret: this.auth.admin.clientSecret,
174
- scope: this.auth.scope,
175
- audience: this.auth.audience
159
+ clientId: this.authAdmin.clientId,
160
+ clientSecret: this.authAdmin.clientSecret,
161
+ scope: this.authAdmin.scope,
162
+ audience: this.authAdmin.audience
176
163
  },
177
- this.auth.issuer,
164
+ this.authAdmin.issuer,
178
165
  this.expirySeconds
179
166
  );
180
167
  }
181
- static async fetchToken(logger, credentials2, issuer, expirySeconds = 3600) {
182
- const secret = new TextEncoder().encode(credentials2.clientSecret);
168
+ static async fetchToken(logger, credentials, issuer, expirySeconds = 3600) {
169
+ const secret = new TextEncoder().encode(credentials.clientSecret);
183
170
  const now = Math.floor(Date.now() / 1e3);
184
171
  const jwt = await new jose.SignJWT({
185
- sub: credentials2.clientId,
186
- aud: credentials2.audience || "",
172
+ sub: credentials.clientId,
173
+ aud: credentials.audience || "",
187
174
  iat: now,
188
175
  exp: now + expirySeconds,
189
176
  iss: issuer
@@ -195,52 +182,75 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
195
182
 
196
183
  // src/auth-token-provider.ts
197
184
  var AuthTokenProvider = class {
198
- constructor(auth, logger) {
185
+ constructor(idp, auth, adminAuth, logger) {
186
+ this.idp = idp;
199
187
  this.auth = auth;
188
+ this.adminAuth = adminAuth;
200
189
  this.logger = logger;
201
190
  }
202
191
  async getUserAccessToken() {
203
192
  this.logger.debug("Fetching user auth token");
204
- if (this.auth.type === "self_signed")
193
+ if (this.auth.method === "self_signed")
205
194
  return new AuthTokenProviderSelfSigned(
206
195
  this.auth,
196
+ this.adminAuth,
207
197
  this.logger
208
198
  ).getUserAccessToken();
209
- if (this.auth.type === "client_credentials")
210
- return clientCredentialsService(
211
- this.auth.configUrl,
212
- this.logger
213
- ).fetchToken({
214
- clientId: this.auth.clientId,
215
- clientSecret: this.auth.clientSecret,
216
- scope: this.auth.scope,
217
- audience: this.auth.audience
218
- });
199
+ if (this.auth.method === "client_credentials") {
200
+ if (this.idp.type === "oauth")
201
+ return clientCredentialsService(
202
+ this.idp.configUrl,
203
+ this.logger
204
+ ).fetchToken({
205
+ clientId: this.auth.clientId,
206
+ clientSecret: this.auth.clientSecret,
207
+ scope: this.auth.scope,
208
+ audience: this.auth.audience
209
+ });
210
+ else {
211
+ throw new Error(
212
+ `IDP type ${this.idp.type} not supported for client_credentials auth`
213
+ );
214
+ }
215
+ }
219
216
  throw new Error(
220
- `Auth type ${this.auth.type} not supported for user access token`
217
+ `Auth method ${this.auth.method} not supported for user access token`
221
218
  );
222
219
  }
223
220
  async getAdminAccessToken() {
224
221
  this.logger.debug("Fetching admin auth token");
225
- if (this.auth.type === "self_signed")
222
+ if (this.adminAuth.method === "self_signed")
226
223
  return new AuthTokenProviderSelfSigned(
227
224
  this.auth,
225
+ this.adminAuth,
228
226
  this.logger
229
227
  ).getAdminAccessToken();
230
- if (!this.auth.admin) {
228
+ if (!this.adminAuth) {
231
229
  throw new Error(
232
- `No admin credentials configured for auth type ${this.auth.type}`
230
+ `No admin credentials configured for auth type ${this.auth.method}`
231
+ );
232
+ }
233
+ if (this.adminAuth.method === "client_credentials") {
234
+ if (this.idp.type === "oauth")
235
+ return clientCredentialsService(
236
+ this.idp.configUrl,
237
+ this.logger
238
+ ).fetchToken({
239
+ clientId: this.adminAuth.clientId,
240
+ clientSecret: this.adminAuth.clientSecret,
241
+ scope: this.adminAuth.scope,
242
+ audience: this.adminAuth.audience
243
+ });
244
+ else {
245
+ throw new Error(
246
+ `IDP type ${this.idp.type} not supported for client_credentials auth`
247
+ );
248
+ }
249
+ } else {
250
+ throw new Error(
251
+ `Auth method ${this.auth.method} not supported for admin access token`
233
252
  );
234
253
  }
235
- return clientCredentialsService(
236
- this.auth.configUrl,
237
- this.logger
238
- ).fetchToken({
239
- clientId: this.auth.admin.clientId,
240
- clientSecret: this.auth.admin.clientSecret,
241
- scope: this.auth.scope,
242
- audience: this.auth.audience
243
- });
244
254
  }
245
255
  };
246
256
 
@@ -250,5 +260,6 @@ exports.ClientCredentialsService = ClientCredentialsService;
250
260
  exports.assertConnected = assertConnected;
251
261
  exports.authSchema = authSchema;
252
262
  exports.clientCredentialsService = clientCredentialsService;
263
+ exports.idpSchema = idpSchema;
253
264
  //# sourceMappingURL=index.cjs.map
254
265
  //# sourceMappingURL=index.cjs.map
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["credentials","providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAWA,YAAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACXA;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqCA,aAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACAA,YAAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAWA,YAAAA,CAAY,QAAA;AAAA,MACvB,eAAeA,YAAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAOA,aAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAUA,aAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAOA,YAAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAWA,YAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMC,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,WAAA,GAAcC,MAAE,MAAA,CAAO;AAAA,EACzB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqBA,MAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqBA,MAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,0BAAA,GAA6BA,MAAE,MAAA,CAAO;AAAA,EACxC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACpC,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAWA,MAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,kBAAA,EAAoBA,MAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAOA,KAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACnD,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACJ,CAAC;ACtDM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,MAAA,EACA,aAAA,GAAwB,IAAA,EAClC;AAHU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,QAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,QAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACAF,YAAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,aAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIG,YAAA,CAAQ;AAAA,MAC1B,KAAKH,YAAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAKA,aAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC5DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,MACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,oBAAA;AACnB,MAAA,OAAO,wBAAA;AAAA,QACH,KAAK,IAAA,CAAK,SAAA;AAAA,QACV,IAAA,CAAK;AAAA,QACP,UAAA,CAAW;AAAA,QACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACvB,CAAA;AAEL,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,UAAA,EAAa,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,oCAAA;AAAA,KAC/B;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAAA,OACnE;AAAA,IACJ;AACA,IAAA,OAAO,wBAAA;AAAA,MACH,KAAK,IAAA,CAAK,SAAA;AAAA,MACV,IAAA,CAAK;AAAA,MACP,UAAA,CAAW;AAAA,MACT,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,MAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,MAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,MACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,KACvB,CAAA;AAAA,EACL;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst credentials = z.object({\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst passwordAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('password'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n tokenUrl: z.string(),\n grantType: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst implicitAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('implicit'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst clientCredentialAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('client_credentials'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nconst selfSignedAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nexport const authSchema = z.discriminatedUnion('type', [\n passwordAuthSchema,\n implicitAuthSchema,\n clientCredentialAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type ImplicitAuth = z.infer<typeof implicitAuthSchema>\nexport type PasswordAuth = z.infer<typeof passwordAuthSchema>\nexport type Credentials = z.infer<typeof credentials>\nexport type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.auth.admin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private auth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.type === 'client_credentials')\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n\n throw new Error(\n `Auth type ${this.auth.type} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.auth.admin) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.type}`\n )\n }\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8BC,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC7DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
package/dist/index.js CHANGED
@@ -14,18 +14,18 @@ var ClientCredentialsService = class {
14
14
  * @returns The JWT access token as a string.
15
15
  * @throws If fetching the token fails or the response is invalid.
16
16
  */
17
- async fetchToken(credentials2) {
17
+ async fetchToken(credentials) {
18
18
  try {
19
19
  const oidcConfig = await this.getOIDCConfig(this.configUrl);
20
20
  this.logger?.debug({ oidcConfig }, "Fetched OIDC config");
21
21
  const res = await this.fetchTokenEndpoint(
22
22
  oidcConfig.token_endpoint,
23
- credentials2
23
+ credentials
24
24
  );
25
25
  const json = await res.json();
26
26
  this.logger?.info(
27
27
  { response: json },
28
- `Fetched admin token for clientId: ${credentials2.clientId}`
28
+ `Fetched admin token for clientId: ${credentials.clientId}`
29
29
  );
30
30
  if (!json.access_token) {
31
31
  throw new Error("No access_token in token endpoint response");
@@ -36,13 +36,13 @@ var ClientCredentialsService = class {
36
36
  throw error;
37
37
  }
38
38
  }
39
- async fetchTokenEndpoint(tokenEndpoint, credentials2) {
39
+ async fetchTokenEndpoint(tokenEndpoint, credentials) {
40
40
  const params = new URLSearchParams({
41
41
  grant_type: "client_credentials",
42
- client_id: credentials2.clientId,
43
- client_secret: credentials2.clientSecret,
44
- scope: credentials2.scope ?? "",
45
- audience: credentials2.audience ?? ""
42
+ client_id: credentials.clientId,
43
+ client_secret: credentials.clientSecret,
44
+ scope: credentials.scope ?? "",
45
+ audience: credentials.audience ?? ""
46
46
  });
47
47
  const res = await fetch(tokenEndpoint, {
48
48
  method: "POST",
@@ -76,7 +76,7 @@ var ClientCredentialsService = class {
76
76
  }
77
77
  };
78
78
  var clientCredentialsService = (configUrl, logger) => ({
79
- fetchToken: async (credentials2) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials2)
79
+ fetchToken: async (credentials) => new ClientCredentialsService(configUrl, logger).fetchToken(credentials)
80
80
  });
81
81
  function assertConnected(authContext) {
82
82
  if (!authContext) {
@@ -86,62 +86,49 @@ function assertConnected(authContext) {
86
86
  }
87
87
  return authContext;
88
88
  }
89
- var credentials = z.object({
90
- clientId: z.string(),
91
- clientSecret: z.string()
92
- });
93
- var passwordAuthSchema = z.object({
94
- identityProviderId: z.string(),
95
- type: z.literal("password"),
96
- issuer: z.string(),
97
- configUrl: z.string(),
89
+ var authorizationCodeAuthSchema = z.object({
90
+ method: z.literal("authorization_code"),
98
91
  audience: z.string(),
99
- tokenUrl: z.string(),
100
- grantType: z.string(),
101
92
  scope: z.string(),
102
- clientId: z.string(),
103
- admin: z.optional(credentials)
93
+ clientId: z.string()
104
94
  });
105
- var implicitAuthSchema = z.object({
106
- identityProviderId: z.string(),
107
- type: z.literal("implicit"),
108
- issuer: z.string(),
109
- configUrl: z.string(),
95
+ var clientCredentialsAuthSchema = z.object({
96
+ method: z.literal("client_credentials"),
110
97
  audience: z.string(),
111
98
  scope: z.string(),
112
99
  clientId: z.string(),
113
- admin: z.optional(credentials)
114
- });
115
- var clientCredentialAuthSchema = z.object({
116
- identityProviderId: z.string(),
117
- type: z.literal("client_credentials"),
118
- issuer: z.string(),
119
- configUrl: z.string(),
120
- audience: z.string(),
121
- scope: z.string(),
122
- clientId: z.string(),
123
- clientSecret: z.string(),
124
- admin: z.optional(credentials)
100
+ clientSecret: z.string()
125
101
  });
126
102
  var selfSignedAuthSchema = z.object({
127
- identityProviderId: z.string(),
128
- type: z.literal("self_signed"),
103
+ method: z.literal("self_signed"),
129
104
  issuer: z.string(),
130
105
  audience: z.string(),
131
106
  scope: z.string(),
132
107
  clientId: z.string(),
133
- clientSecret: z.string(),
134
- admin: z.optional(credentials)
108
+ clientSecret: z.string()
135
109
  });
136
- var authSchema = z.discriminatedUnion("type", [
137
- passwordAuthSchema,
138
- implicitAuthSchema,
139
- clientCredentialAuthSchema,
110
+ var authSchema = z.discriminatedUnion("method", [
111
+ authorizationCodeAuthSchema,
112
+ clientCredentialsAuthSchema,
140
113
  selfSignedAuthSchema
141
114
  ]);
115
+ var idpSchema = z.discriminatedUnion("type", [
116
+ z.object({
117
+ id: z.string(),
118
+ type: z.literal("self_signed"),
119
+ issuer: z.string()
120
+ }),
121
+ z.object({
122
+ id: z.string(),
123
+ type: z.literal("oauth"),
124
+ issuer: z.string(),
125
+ configUrl: z.string().url()
126
+ })
127
+ ]);
142
128
  var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
143
- constructor(auth, logger, expirySeconds = 3600) {
129
+ constructor(auth, authAdmin, logger, expirySeconds = 3600) {
144
130
  this.auth = auth;
131
+ this.authAdmin = authAdmin;
145
132
  this.logger = logger;
146
133
  this.expirySeconds = expirySeconds;
147
134
  }
@@ -161,27 +148,27 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
161
148
  }
162
149
  async getAdminAccessToken() {
163
150
  this.logger.debug("Fetching self-signed admin auth token");
164
- if (!this.auth.admin) {
151
+ if (!this.authAdmin) {
165
152
  throw new Error("Admin credentials are not configured");
166
153
  }
167
154
  return _AuthTokenProviderSelfSigned.fetchToken(
168
155
  this.logger,
169
156
  {
170
- clientId: this.auth.admin.clientId,
171
- clientSecret: this.auth.admin.clientSecret,
172
- scope: this.auth.scope,
173
- audience: this.auth.audience
157
+ clientId: this.authAdmin.clientId,
158
+ clientSecret: this.authAdmin.clientSecret,
159
+ scope: this.authAdmin.scope,
160
+ audience: this.authAdmin.audience
174
161
  },
175
- this.auth.issuer,
162
+ this.authAdmin.issuer,
176
163
  this.expirySeconds
177
164
  );
178
165
  }
179
- static async fetchToken(logger, credentials2, issuer, expirySeconds = 3600) {
180
- const secret = new TextEncoder().encode(credentials2.clientSecret);
166
+ static async fetchToken(logger, credentials, issuer, expirySeconds = 3600) {
167
+ const secret = new TextEncoder().encode(credentials.clientSecret);
181
168
  const now = Math.floor(Date.now() / 1e3);
182
169
  const jwt = await new SignJWT({
183
- sub: credentials2.clientId,
184
- aud: credentials2.audience || "",
170
+ sub: credentials.clientId,
171
+ aud: credentials.audience || "",
185
172
  iat: now,
186
173
  exp: now + expirySeconds,
187
174
  iss: issuer
@@ -193,55 +180,78 @@ var AuthTokenProviderSelfSigned = class _AuthTokenProviderSelfSigned {
193
180
 
194
181
  // src/auth-token-provider.ts
195
182
  var AuthTokenProvider = class {
196
- constructor(auth, logger) {
183
+ constructor(idp, auth, adminAuth, logger) {
184
+ this.idp = idp;
197
185
  this.auth = auth;
186
+ this.adminAuth = adminAuth;
198
187
  this.logger = logger;
199
188
  }
200
189
  async getUserAccessToken() {
201
190
  this.logger.debug("Fetching user auth token");
202
- if (this.auth.type === "self_signed")
191
+ if (this.auth.method === "self_signed")
203
192
  return new AuthTokenProviderSelfSigned(
204
193
  this.auth,
194
+ this.adminAuth,
205
195
  this.logger
206
196
  ).getUserAccessToken();
207
- if (this.auth.type === "client_credentials")
208
- return clientCredentialsService(
209
- this.auth.configUrl,
210
- this.logger
211
- ).fetchToken({
212
- clientId: this.auth.clientId,
213
- clientSecret: this.auth.clientSecret,
214
- scope: this.auth.scope,
215
- audience: this.auth.audience
216
- });
197
+ if (this.auth.method === "client_credentials") {
198
+ if (this.idp.type === "oauth")
199
+ return clientCredentialsService(
200
+ this.idp.configUrl,
201
+ this.logger
202
+ ).fetchToken({
203
+ clientId: this.auth.clientId,
204
+ clientSecret: this.auth.clientSecret,
205
+ scope: this.auth.scope,
206
+ audience: this.auth.audience
207
+ });
208
+ else {
209
+ throw new Error(
210
+ `IDP type ${this.idp.type} not supported for client_credentials auth`
211
+ );
212
+ }
213
+ }
217
214
  throw new Error(
218
- `Auth type ${this.auth.type} not supported for user access token`
215
+ `Auth method ${this.auth.method} not supported for user access token`
219
216
  );
220
217
  }
221
218
  async getAdminAccessToken() {
222
219
  this.logger.debug("Fetching admin auth token");
223
- if (this.auth.type === "self_signed")
220
+ if (this.adminAuth.method === "self_signed")
224
221
  return new AuthTokenProviderSelfSigned(
225
222
  this.auth,
223
+ this.adminAuth,
226
224
  this.logger
227
225
  ).getAdminAccessToken();
228
- if (!this.auth.admin) {
226
+ if (!this.adminAuth) {
229
227
  throw new Error(
230
- `No admin credentials configured for auth type ${this.auth.type}`
228
+ `No admin credentials configured for auth type ${this.auth.method}`
229
+ );
230
+ }
231
+ if (this.adminAuth.method === "client_credentials") {
232
+ if (this.idp.type === "oauth")
233
+ return clientCredentialsService(
234
+ this.idp.configUrl,
235
+ this.logger
236
+ ).fetchToken({
237
+ clientId: this.adminAuth.clientId,
238
+ clientSecret: this.adminAuth.clientSecret,
239
+ scope: this.adminAuth.scope,
240
+ audience: this.adminAuth.audience
241
+ });
242
+ else {
243
+ throw new Error(
244
+ `IDP type ${this.idp.type} not supported for client_credentials auth`
245
+ );
246
+ }
247
+ } else {
248
+ throw new Error(
249
+ `Auth method ${this.auth.method} not supported for admin access token`
231
250
  );
232
251
  }
233
- return clientCredentialsService(
234
- this.auth.configUrl,
235
- this.logger
236
- ).fetchToken({
237
- clientId: this.auth.admin.clientId,
238
- clientSecret: this.auth.admin.clientSecret,
239
- scope: this.auth.scope,
240
- audience: this.auth.audience
241
- });
242
252
  }
243
253
  };
244
254
 
245
- export { AuthTokenProvider, AuthTokenProviderSelfSigned, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService };
255
+ export { AuthTokenProvider, AuthTokenProviderSelfSigned, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService, idpSchema };
246
256
  //# sourceMappingURL=index.js.map
247
257
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["credentials"],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAWA,YAAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACXA;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqCA,aAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACAA,YAAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAWA,YAAAA,CAAY,QAAA;AAAA,MACvB,eAAeA,YAAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAOA,aAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAUA,aAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAOA,YAAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAWA,YAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACzB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqB,EAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,kBAAA,GAAqB,EAAE,MAAA,CAAO;AAAA,EAChC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,UAAU,CAAA;AAAA,EAC1B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EACxC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACpC,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,EACpB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC7B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,KAAA,EAAO,CAAA,CAAE,QAAA,CAAS,WAAW;AACjC,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACnD,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACJ,CAAC;ACtDM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,MAAA,EACA,aAAA,GAAwB,IAAA,EAClC;AAHU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,QAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,QAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACAA,YAAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,aAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAKA,YAAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAKA,aAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC5DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,MACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,oBAAA;AACnB,MAAA,OAAO,wBAAA;AAAA,QACH,KAAK,IAAA,CAAK,SAAA;AAAA,QACV,IAAA,CAAK;AAAA,QACP,UAAA,CAAW;AAAA,QACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACvB,CAAA;AAEL,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,UAAA,EAAa,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,oCAAA;AAAA,KAC/B;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,KAAK,IAAA,KAAS,aAAA;AACnB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAAA,OACnE;AAAA,IACJ;AACA,IAAA,OAAO,wBAAA;AAAA,MACH,KAAK,IAAA,CAAK,SAAA;AAAA,MACV,IAAA,CAAK;AAAA,MACP,UAAA,CAAW;AAAA,MACT,QAAA,EAAU,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAA;AAAA,MAC1B,YAAA,EAAc,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,YAAA;AAAA,MAC9B,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,MACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,KACvB,CAAA;AAAA,EACL;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst credentials = z.object({\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst passwordAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('password'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n tokenUrl: z.string(),\n grantType: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst implicitAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('implicit'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n admin: z.optional(credentials),\n})\n\nconst clientCredentialAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('client_credentials'),\n issuer: z.string(),\n configUrl: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nconst selfSignedAuthSchema = z.object({\n identityProviderId: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n admin: z.optional(credentials),\n})\n\nexport const authSchema = z.discriminatedUnion('type', [\n passwordAuthSchema,\n implicitAuthSchema,\n clientCredentialAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type ImplicitAuth = z.infer<typeof implicitAuthSchema>\nexport type PasswordAuth = z.infer<typeof passwordAuthSchema>\nexport type Credentials = z.infer<typeof credentials>\nexport type ClientCredentialAuth = z.infer<typeof clientCredentialAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.auth.admin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private auth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.type === 'client_credentials')\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n\n throw new Error(\n `Auth type ${this.auth.type} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.auth.type === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.auth.admin) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.type}`\n )\n }\n return clientCredentialsService(\n this.auth.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.admin.clientId,\n clientSecret: this.auth.admin.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":[],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC7DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@canton-network/core-wallet-auth",
3
- "version": "0.11.0",
3
+ "version": "0.12.1",
4
4
  "type": "module",
5
5
  "description": "Provides authentication middleware and user management for the Wallet Gateway",
6
6
  "repository": "github:hyperledger-labs/splice-wallet-kernel",
@@ -37,10 +37,10 @@
37
37
  "typescript": "^5.8.3"
38
38
  },
39
39
  "dependencies": {
40
- "@canton-network/core-rpc-errors": "^0.7.0",
41
- "@canton-network/core-types": "^0.10.0",
40
+ "@canton-network/core-rpc-errors": "^0.8.1",
41
+ "@canton-network/core-types": "^0.11.1",
42
42
  "jose": "^5.10.0",
43
- "zod": "^3.25.64"
43
+ "zod": "^4.1.12"
44
44
  },
45
45
  "files": [
46
46
  "dist/**"