@canton-network/core-wallet-auth 0.16.0 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs.map +1 -1
- package/dist/index.js.map +1 -1
- package/package.json +7 -7
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8BC,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC9DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":["providerErrors","z","SignJWT"],"mappings":";;;;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8BC,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC9DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":[],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC9DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/client-credentials-service.ts","../src/auth-utils.ts","../src/config/schema.ts","../src/auth-token-provider-self-signed.ts","../src/auth-token-provider.ts"],"names":[],"mappings":";;;;;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC5FO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;ACVA,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC;AC5CM,IAAM,2BAAA,GAAN,MAAM,4BAAA,CAA2D;AAAA,EACpE,WAAA,CACY,IAAA,EACA,SAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EAClC;AAJU,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,sCAAsC,CAAA;AACxD,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,QACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,QACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,OACxB;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,uCAAuC,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IAC1D;AACA,IAAA,OAAO,4BAAA,CAA4B,UAAA;AAAA,MAC/B,IAAA,CAAK,MAAA;AAAA,MACL;AAAA,QACI,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,QACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,QAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,QACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC7B;AAAA,MACA,KAAK,SAAA,CAAU,MAAA;AAAA,MACf,IAAA,CAAK;AAAA,KACT;AAAA,EACJ;AAAA,EAEA,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ;;;AC9DO,IAAM,oBAAN,MAAuD;AAAA,EAC1D,WAAA,CACY,GAAA,EACA,IAAA,EACA,SAAA,EACA,MAAA,EACV;AAJU,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA,EAEH,MAAM,kBAAA,GAAsC;AACxC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAC5C,IAAA,IAAI,IAAA,CAAK,KAAK,MAAA,KAAW,aAAA;AACrB,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,kBAAA,EAAmB;AAEzB,IAAA,IAAI,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,oBAAA,EAAsB;AAC3C,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,IAAA,CAAK,QAAA;AAAA,UACpB,YAAA,EAAc,KAAK,IAAA,CAAK,YAAA;AAAA,UACxB,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,UACjB,QAAA,EAAU,KAAK,IAAA,CAAK;AAAA,SACvB,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,oCAAA;AAAA,KACnC;AAAA,EACJ;AAAA,EAEA,MAAM,mBAAA,GAAuC;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,2BAA2B,CAAA;AAC7C,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,KAAW,aAAA;AAC1B,MAAA,OAAO,IAAI,2BAAA;AAAA,QACP,IAAA,CAAK,IAAA;AAAA,QACL,IAAA,CAAK,SAAA;AAAA,QACL,IAAA,CAAK;AAAA,QACP,mBAAA,EAAoB;AAE1B,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,8CAAA,EAAiD,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA;AAAA,OACrE;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,KAAW,oBAAA,EAAsB;AAChD,MAAA,IAAI,IAAA,CAAK,IAAI,IAAA,KAAS,OAAA;AAClB,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,GAAA,CAAI,SAAA;AAAA,UACT,IAAA,CAAK;AAAA,UACP,UAAA,CAAW;AAAA,UACT,QAAA,EAAU,KAAK,SAAA,CAAU,QAAA;AAAA,UACzB,YAAA,EAAc,KAAK,SAAA,CAAU,YAAA;AAAA,UAC7B,KAAA,EAAO,KAAK,SAAA,CAAU,KAAA;AAAA,UACtB,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,SAC5B,CAAA;AAAA,WACA;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAA,CAAK,GAAA,CAAI,IAAI,CAAA,0CAAA;AAAA,SAC7B;AAAA,MACJ;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,YAAA,EAAe,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,qCAAA;AAAA,OACnC;AAAA,IACJ;AAAA,EACJ;AACJ","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider, ClientCredentials } from './auth-service.js'\nimport { SelfSignedAuth } from './config/schema.js'\nimport { SignJWT } from 'jose'\n\nexport class AuthTokenProviderSelfSigned implements AccessTokenProvider {\n constructor(\n private auth: SelfSignedAuth,\n private authAdmin: SelfSignedAuth,\n private logger: Logger,\n private expirySeconds: number = 3600\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed user auth token')\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n },\n this.auth.issuer,\n this.expirySeconds\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching self-signed admin auth token')\n if (!this.authAdmin) {\n throw new Error('Admin credentials are not configured')\n }\n return AuthTokenProviderSelfSigned.fetchToken(\n this.logger,\n {\n clientId: this.authAdmin.clientId,\n clientSecret: this.authAdmin.clientSecret,\n scope: this.authAdmin.scope,\n audience: this.authAdmin.audience,\n },\n this.authAdmin.issuer,\n this.expirySeconds\n )\n }\n\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { AccessTokenProvider } from './auth-service.js'\nimport { Auth, Idp, SelfSignedAuth } from './config/schema.js'\nimport { AuthTokenProviderSelfSigned } from './auth-token-provider-self-signed.js'\nimport { clientCredentialsService } from './client-credentials-service.js'\n\nexport class AuthTokenProvider implements AccessTokenProvider {\n constructor(\n private idp: Idp,\n private auth: Auth,\n private adminAuth: Auth,\n private logger: Logger\n ) {}\n\n async getUserAccessToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n if (this.auth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getUserAccessToken()\n\n if (this.auth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.auth.clientId,\n clientSecret: this.auth.clientSecret,\n scope: this.auth.scope,\n audience: this.auth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${this.auth.method} not supported for user access token`\n )\n }\n\n async getAdminAccessToken(): Promise<string> {\n this.logger.debug('Fetching admin auth token')\n if (this.adminAuth.method === 'self_signed')\n return new AuthTokenProviderSelfSigned(\n this.auth as SelfSignedAuth,\n this.adminAuth as SelfSignedAuth,\n this.logger\n ).getAdminAccessToken()\n\n if (!this.adminAuth) {\n throw new Error(\n `No admin credentials configured for auth type ${this.auth.method}`\n )\n }\n\n if (this.adminAuth.method === 'client_credentials') {\n if (this.idp.type === 'oauth')\n return clientCredentialsService(\n this.idp.configUrl,\n this.logger\n ).fetchToken({\n clientId: this.adminAuth.clientId,\n clientSecret: this.adminAuth.clientSecret,\n scope: this.adminAuth.scope,\n audience: this.adminAuth.audience,\n })\n else {\n throw new Error(\n `IDP type ${this.idp.type} not supported for client_credentials auth`\n )\n }\n } else {\n throw new Error(\n `Auth method ${this.auth.method} not supported for admin access token`\n )\n }\n }\n}\n"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@canton-network/core-wallet-auth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.17.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "Provides authentication middleware and user management for the Wallet Gateway",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -26,20 +26,20 @@
|
|
|
26
26
|
},
|
|
27
27
|
"devDependencies": {
|
|
28
28
|
"@jest/globals": "^30.2.0",
|
|
29
|
-
"@swc/core": "^1.15.
|
|
29
|
+
"@swc/core": "^1.15.8",
|
|
30
30
|
"@swc/jest": "^0.2.39",
|
|
31
31
|
"@types/jest": "^30.0.0",
|
|
32
32
|
"jest": "^30.2.0",
|
|
33
|
-
"ts-jest": "^29.4.
|
|
33
|
+
"ts-jest": "^29.4.6",
|
|
34
34
|
"ts-jest-resolver": "^2.0.1",
|
|
35
35
|
"tsup": "^8.5.1",
|
|
36
36
|
"typescript": "^5.9.3"
|
|
37
37
|
},
|
|
38
38
|
"dependencies": {
|
|
39
|
-
"@canton-network/core-rpc-errors": "^0.
|
|
40
|
-
"@canton-network/core-types": "^0.
|
|
41
|
-
"jose": "^6.1.
|
|
42
|
-
"zod": "^4.
|
|
39
|
+
"@canton-network/core-rpc-errors": "^0.13.0",
|
|
40
|
+
"@canton-network/core-types": "^0.16.0",
|
|
41
|
+
"jose": "^6.1.3",
|
|
42
|
+
"zod": "^4.3.5"
|
|
43
43
|
},
|
|
44
44
|
"files": [
|
|
45
45
|
"dist/**"
|