@canton-network/core-wallet-auth 0.23.0 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/auth-token-provider.d.ts +1 -2
  2. package/dist/auth-token-provider.d.ts.map +1 -1
  3. package/dist/config/schema.d.ts +20 -0
  4. package/dist/config/schema.d.ts.map +1 -1
  5. package/dist/index.cjs +23 -0
  6. package/dist/index.cjs.map +1 -1
  7. package/dist/index.js +23 -1
  8. package/dist/index.js.map +1 -1
  9. package/package.json +3 -3
package/dist/auth-token-provider.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  import { Logger } from '@canton-network/core-types';
2
2
  import { AccessTokenProvider, AuthContext, ClientCredentials } from './auth-service';
3
3
  import { Auth, Idp } from './config/schema';
4
- type TokenProviderConfig = {
4
+ export type TokenProviderConfig = {
5
5
  method: 'static';
6
6
  token: string;
7
7
  } | {
@@ -45,5 +45,4 @@ export declare class AuthTokenProvider implements AccessTokenProvider {
45
45
  */
46
46
  getAuthContext(): Promise<AuthContext>;
47
47
  }
48
- export {};
49
48
  //# sourceMappingURL=auth-token-provider.d.ts.map
package/dist/auth-token-provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EACH,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EACpB,MAAM,gBAAgB,CAAA;AAIvB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE3C,KAAK,mBAAmB,GAClB;IACI,MAAM,EAAE,QAAQ,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;CAChB,GACD;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,iBAAiB,CAAA;CACjC,GACD;IACI,MAAM,EAAE,oBAAoB,CAAA;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,iBAAiB,CAAA;CACjC,CAAA;AAEP;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAIrD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;IAC9C,SAAS,CAAC,MAAM,EAAE,MAAM;IAJ5B,OAAO,CAAC,WAAW,CAAoB;gBAGhB,MAAM,EAAE,mBAAmB,EACpC,MAAM,EAAE,MAAM;IAG5B,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB;IAIlE,MAAM,CAAC,iBAAiB,CACpB,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,GACf,iBAAiB;YA4CN,WAAW;IAoBzB;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAgB9C;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAMtD"}
1
+ {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EACH,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EACpB,MAAM,gBAAgB,CAAA;AAIvB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE3C,MAAM,MAAM,mBAAmB,GACzB;IACI,MAAM,EAAE,QAAQ,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;CAChB,GACD;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,iBAAiB,CAAA;CACjC,GACD;IACI,MAAM,EAAE,oBAAoB,CAAA;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,iBAAiB,CAAA;CACjC,CAAA;AAEP;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAIrD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;IAC9C,SAAS,CAAC,MAAM,EAAE,MAAM;IAJ5B,OAAO,CAAC,WAAW,CAAoB;gBAGhB,MAAM,EAAE,mBAAmB,EACpC,MAAM,EAAE,MAAM;IAG5B,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB;IAIlE,MAAM,CAAC,iBAAiB,CACpB,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,GACf,iBAAiB;YA4CN,WAAW;IAoBzB;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAgB9C;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAMtD"}
package/dist/config/schema.d.ts CHANGED
@@ -39,7 +39,27 @@ export declare const authSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
39
39
  clientId: z.ZodString;
40
40
  clientSecret: z.ZodString;
41
41
  }, z.core.$strip>], "method">;
42
+ export declare const authFromEnvSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
43
+ method: z.ZodLiteral<"authorization_code">;
44
+ audience: z.ZodString;
45
+ scope: z.ZodString;
46
+ clientId: z.ZodString;
47
+ }, z.core.$strip>, z.ZodObject<{
48
+ method: z.ZodLiteral<"client_credentials">;
49
+ audience: z.ZodString;
50
+ scope: z.ZodString;
51
+ clientId: z.ZodString;
52
+ clientSecretEnv: z.ZodString;
53
+ }, z.core.$strip>, z.ZodObject<{
54
+ method: z.ZodLiteral<"self_signed">;
55
+ issuer: z.ZodString;
56
+ audience: z.ZodString;
57
+ scope: z.ZodString;
58
+ clientId: z.ZodString;
59
+ clientSecretEnv: z.ZodString;
60
+ }, z.core.$strip>], "method">;
42
61
  export type Auth = z.infer<typeof authSchema>;
62
+ export type AuthFromEnv = z.infer<typeof authFromEnvSchema>;
43
63
  export type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>;
44
64
  export type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>;
45
65
  export type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>;
package/dist/config/schema.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,2BAA2B;;;;;iBAK/B,CAAA;AAEF,QAAA,MAAM,2BAA2B;;;;;;iBAM/B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;iBAOxB,CAAA;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;6BAIrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,SAAS;;;;;;;;;2BAYpB,CAAA;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA"}
1
+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,2BAA2B;;;;;iBAU3B,CAAA;AAEN,QAAA,MAAM,2BAA2B;;;;;;iBAM/B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;iBAOxB,CAAA;AAmBF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;6BAIrB,CAAA;AAEF,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;6BAI5B,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAC3D,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,SAAS;;;;;;;;;2BAYpB,CAAA;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA"}
package/dist/index.cjs CHANGED
@@ -227,6 +227,8 @@ var authorizationCodeAuthSchema = zod.z.object({
227
227
  audience: zod.z.string(),
228
228
  scope: zod.z.string(),
229
229
  clientId: zod.z.string()
230
+ }).meta({
231
+ description: "Authorization code flow authentication configuration. This is used for browser-based application login."
230
232
  });
231
233
  var clientCredentialsAuthSchema = zod.z.object({
232
234
  method: zod.z.literal("client_credentials"),
@@ -243,11 +245,31 @@ var selfSignedAuthSchema = zod.z.object({
243
245
  clientId: zod.z.string(),
244
246
  clientSecret: zod.z.string()
245
247
  });
248
+ var clientCredentialsEnvAuthSchema = zod.z.object({
249
+ method: zod.z.literal("client_credentials"),
250
+ audience: zod.z.string(),
251
+ scope: zod.z.string(),
252
+ clientId: zod.z.string(),
253
+ clientSecretEnv: zod.z.string()
254
+ });
255
+ var selfSignedEnvAuthSchema = zod.z.object({
256
+ method: zod.z.literal("self_signed"),
257
+ issuer: zod.z.string(),
258
+ audience: zod.z.string(),
259
+ scope: zod.z.string(),
260
+ clientId: zod.z.string(),
261
+ clientSecretEnv: zod.z.string()
262
+ });
246
263
  var authSchema = zod.z.discriminatedUnion("method", [
247
264
  authorizationCodeAuthSchema,
248
265
  clientCredentialsAuthSchema,
249
266
  selfSignedAuthSchema
250
267
  ]);
268
+ var authFromEnvSchema = zod.z.discriminatedUnion("method", [
269
+ authorizationCodeAuthSchema,
270
+ clientCredentialsEnvAuthSchema,
271
+ selfSignedEnvAuthSchema
272
+ ]);
251
273
  var idpSchema = zod.z.discriminatedUnion("type", [
252
274
  zod.z.object({
253
275
  id: zod.z.string(),
@@ -265,6 +287,7 @@ var idpSchema = zod.z.discriminatedUnion("type", [
265
287
  exports.AuthTokenProvider = AuthTokenProvider;
266
288
  exports.ClientCredentialsService = ClientCredentialsService;
267
289
  exports.assertConnected = assertConnected;
290
+ exports.authFromEnvSchema = authFromEnvSchema;
268
291
  exports.authSchema = authSchema;
269
292
  exports.clientCredentialsService = clientCredentialsService;
270
293
  exports.idpSchema = idpSchema;
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":["providerErrors","decodeJwt","SignJWT","z"],"mappings":";;;;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAUA,eAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8BC,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\ntype TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
1
+ {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":["providerErrors","decodeJwt","SignJWT","z"],"mappings":";;;;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAUA,eAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8BC,MAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiCA,MAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0BA,MAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoBA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
package/dist/index.js CHANGED
@@ -225,6 +225,8 @@ var authorizationCodeAuthSchema = z.object({
225
225
  audience: z.string(),
226
226
  scope: z.string(),
227
227
  clientId: z.string()
228
+ }).meta({
229
+ description: "Authorization code flow authentication configuration. This is used for browser-based application login."
228
230
  });
229
231
  var clientCredentialsAuthSchema = z.object({
230
232
  method: z.literal("client_credentials"),
@@ -241,11 +243,31 @@ var selfSignedAuthSchema = z.object({
241
243
  clientId: z.string(),
242
244
  clientSecret: z.string()
243
245
  });
246
+ var clientCredentialsEnvAuthSchema = z.object({
247
+ method: z.literal("client_credentials"),
248
+ audience: z.string(),
249
+ scope: z.string(),
250
+ clientId: z.string(),
251
+ clientSecretEnv: z.string()
252
+ });
253
+ var selfSignedEnvAuthSchema = z.object({
254
+ method: z.literal("self_signed"),
255
+ issuer: z.string(),
256
+ audience: z.string(),
257
+ scope: z.string(),
258
+ clientId: z.string(),
259
+ clientSecretEnv: z.string()
260
+ });
244
261
  var authSchema = z.discriminatedUnion("method", [
245
262
  authorizationCodeAuthSchema,
246
263
  clientCredentialsAuthSchema,
247
264
  selfSignedAuthSchema
248
265
  ]);
266
+ var authFromEnvSchema = z.discriminatedUnion("method", [
267
+ authorizationCodeAuthSchema,
268
+ clientCredentialsEnvAuthSchema,
269
+ selfSignedEnvAuthSchema
270
+ ]);
249
271
  var idpSchema = z.discriminatedUnion("type", [
250
272
  z.object({
251
273
  id: z.string(),
@@ -260,6 +282,6 @@ var idpSchema = z.discriminatedUnion("type", [
260
282
  })
261
283
  ]);
262
284
 
263
- export { AuthTokenProvider, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService, idpSchema, jwtExpired, jwtUserId };
285
+ export { AuthTokenProvider, ClientCredentialsService, assertConnected, authFromEnvSchema, authSchema, clientCredentialsService, idpSchema, jwtExpired, jwtUserId };
264
286
  //# sourceMappingURL=index.js.map
265
287
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":[],"mappings":";;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAI,SAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\ntype TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
1
+ {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":[],"mappings":";;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAI,SAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8B,EAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiC,EAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoB,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@canton-network/core-wallet-auth",
3
- "version": "0.23.0",
3
+ "version": "0.24.0",
4
4
  "type": "module",
5
5
  "description": "Provides authentication middleware and user management for the Wallet Gateway",
6
6
  "license": "Apache-2.0",
@@ -36,8 +36,8 @@
36
36
  "typescript": "^5.9.3"
37
37
  },
38
38
  "dependencies": {
39
- "@canton-network/core-rpc-errors": "^0.18.1",
40
- "@canton-network/core-types": "^0.22.0",
39
+ "@canton-network/core-rpc-errors": "^0.19.0",
40
+ "@canton-network/core-types": "^0.23.0",
41
41
  "jose": "^6.1.3",
42
42
  "zod": "^4.3.6"
43
43
  },