@canton-network/core-wallet-auth 0.23.1 → 0.24.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/auth-service.d.ts +1 -0
  2. package/dist/auth-service.d.ts.map +1 -1
  3. package/dist/auth-token-provider.d.ts +1 -2
  4. package/dist/auth-token-provider.d.ts.map +1 -1
  5. package/dist/auth-utils.d.ts +44 -0
  6. package/dist/auth-utils.d.ts.map +1 -1
  7. package/dist/config/schema.d.ts +20 -0
  8. package/dist/config/schema.d.ts.map +1 -1
  9. package/dist/index.cjs +59 -1
  10. package/dist/index.cjs.map +1 -1
  11. package/dist/index.js +57 -2
  12. package/dist/index.js.map +1 -1
  13. package/package.json +3 -3
package/dist/auth-service.d.ts CHANGED
@@ -5,6 +5,7 @@ export type UserId = string;
5
5
  export interface AuthContext {
6
6
  userId: UserId;
7
7
  accessToken: string;
8
+ email?: string;
8
9
  }
9
10
  /**
10
11
  * Interface for types that are aware of authentication context
package/dist/auth-service.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../src/auth-service.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,MAAM,GAAG,MAAM,CAAA;AAE3B;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC;IACxB,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;IACpC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE,WAAW,KAAK,CAAC,CAAA;CAChD;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAAA;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IACjC,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,UAAU;IACvB,cAAc,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,iBAAiB;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;IACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC/B"}
1
+ {"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../src/auth-service.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,MAAM,GAAG,MAAM,CAAA;AAE3B;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC;IACxB,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;IACpC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE,WAAW,KAAK,CAAC,CAAA;CAChD;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAAA;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IACjC,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,UAAU;IACvB,cAAc,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,iBAAiB;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;IACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC/B"}
package/dist/auth-token-provider.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  import { Logger } from '@canton-network/core-types';
2
2
  import { AccessTokenProvider, AuthContext, ClientCredentials } from './auth-service';
3
3
  import { Auth, Idp } from './config/schema';
4
- type TokenProviderConfig = {
4
+ export type TokenProviderConfig = {
5
5
  method: 'static';
6
6
  token: string;
7
7
  } | {
@@ -45,5 +45,4 @@ export declare class AuthTokenProvider implements AccessTokenProvider {
45
45
  */
46
46
  getAuthContext(): Promise<AuthContext>;
47
47
  }
48
- export {};
49
48
  //# sourceMappingURL=auth-token-provider.d.ts.map
package/dist/auth-token-provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EACH,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EACpB,MAAM,gBAAgB,CAAA;AAIvB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE3C,KAAK,mBAAmB,GAClB;IACI,MAAM,EAAE,QAAQ,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;CAChB,GACD;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,iBAAiB,CAAA;CACjC,GACD;IACI,MAAM,EAAE,oBAAoB,CAAA;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,iBAAiB,CAAA;CACjC,CAAA;AAEP;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAIrD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;IAC9C,SAAS,CAAC,MAAM,EAAE,MAAM;IAJ5B,OAAO,CAAC,WAAW,CAAoB;gBAGhB,MAAM,EAAE,mBAAmB,EACpC,MAAM,EAAE,MAAM;IAG5B,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB;IAIlE,MAAM,CAAC,iBAAiB,CACpB,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,GACf,iBAAiB;YA4CN,WAAW;IAoBzB;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAgB9C;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAMtD"}
1
+ {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EACH,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EACpB,MAAM,gBAAgB,CAAA;AAIvB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE3C,MAAM,MAAM,mBAAmB,GACzB;IACI,MAAM,EAAE,QAAQ,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;CAChB,GACD;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,iBAAiB,CAAA;CACjC,GACD;IACI,MAAM,EAAE,oBAAoB,CAAA;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,iBAAiB,CAAA;CACjC,CAAA;AAEP;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAIrD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;IAC9C,SAAS,CAAC,MAAM,EAAE,MAAM;IAJ5B,OAAO,CAAC,WAAW,CAAoB;gBAGhB,MAAM,EAAE,mBAAmB,EACpC,MAAM,EAAE,MAAM;IAG5B,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB;IAIlE,MAAM,CAAC,iBAAiB,CACpB,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,GACf,iBAAiB;YA4CN,WAAW;IAoBzB;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAgB9C;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAWtD"}
package/dist/auth-utils.d.ts CHANGED
@@ -7,6 +7,50 @@ export declare function assertConnected(authContext: AuthContext | undefined): A
7
7
  * @returns
8
8
  */
9
9
  export declare function jwtUserId(token: string): string;
10
+ /**
11
+ * Extract the optional `email` claim from a JWT.
12
+ *
13
+ * @param token a base64 encoded JWT token
14
+ * @returns email when present, otherwise undefined
15
+ */
16
+ export declare function jwtUserEmail(token: string): string | undefined;
17
+ /**
18
+ * Standard OIDC UserInfo claims as defined by OpenID Connect Core 1.0.
19
+ * https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
20
+ */
21
+ export interface OidcUserInfo {
22
+ sub: string;
23
+ name?: string;
24
+ given_name?: string;
25
+ family_name?: string;
26
+ middle_name?: string;
27
+ nickname?: string;
28
+ preferred_username?: string;
29
+ profile?: string;
30
+ picture?: string;
31
+ website?: string;
32
+ email?: string;
33
+ email_verified?: boolean;
34
+ gender?: string;
35
+ birthdate?: string;
36
+ zoneinfo?: string;
37
+ locale?: string;
38
+ phone_number?: string;
39
+ phone_number_verified?: boolean;
40
+ updated_at?: number;
41
+ address?: Record<string, string>;
42
+ [key: string]: unknown;
43
+ }
44
+ /**
45
+ * Fetches user claims from the OIDC UserInfo endpoint.
46
+ * Discovers the endpoint via the OIDC discovery document at configUrl.
47
+ *
48
+ * @param configUrl - The OIDC discovery document URL (/.well-known/openid-configuration)
49
+ * @param accessToken - The user's bearer access token
50
+ * @returns The UserInfo claims, or undefined if the IDP does not expose a userinfo endpoint
51
+ * @throws If any network request fails
52
+ */
53
+ export declare function fetchOidcUserInfo(configUrl: string, accessToken: string): Promise<OidcUserInfo | undefined>;
10
54
  /**
11
55
  * Determine if a given JWT is still valid based on its expiry time.
12
56
  *
package/dist/auth-utils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-utils.d.ts","sourceRoot":"","sources":["../src/auth-utils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAG5C,wBAAgB,eAAe,CAC3B,WAAW,EAAE,WAAW,GAAG,SAAS,GACrC,WAAW,CAOb;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ/C;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQjD"}
1
+ {"version":3,"file":"auth-utils.d.ts","sourceRoot":"","sources":["../src/auth-utils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAG5C,wBAAgB,eAAe,CAC3B,WAAW,EAAE,WAAW,GAAG,SAAS,GACrC,WAAW,CAOb;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ/C;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQ9D;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACzB;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACnC,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,GACpB,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAyBnC;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQjD"}
package/dist/config/schema.d.ts CHANGED
@@ -39,7 +39,27 @@ export declare const authSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
39
39
  clientId: z.ZodString;
40
40
  clientSecret: z.ZodString;
41
41
  }, z.core.$strip>], "method">;
42
+ export declare const authFromEnvSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
43
+ method: z.ZodLiteral<"authorization_code">;
44
+ audience: z.ZodString;
45
+ scope: z.ZodString;
46
+ clientId: z.ZodString;
47
+ }, z.core.$strip>, z.ZodObject<{
48
+ method: z.ZodLiteral<"client_credentials">;
49
+ audience: z.ZodString;
50
+ scope: z.ZodString;
51
+ clientId: z.ZodString;
52
+ clientSecretEnv: z.ZodString;
53
+ }, z.core.$strip>, z.ZodObject<{
54
+ method: z.ZodLiteral<"self_signed">;
55
+ issuer: z.ZodString;
56
+ audience: z.ZodString;
57
+ scope: z.ZodString;
58
+ clientId: z.ZodString;
59
+ clientSecretEnv: z.ZodString;
60
+ }, z.core.$strip>], "method">;
42
61
  export type Auth = z.infer<typeof authSchema>;
62
+ export type AuthFromEnv = z.infer<typeof authFromEnvSchema>;
43
63
  export type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>;
44
64
  export type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>;
45
65
  export type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>;
package/dist/config/schema.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,2BAA2B;;;;;iBAK/B,CAAA;AAEF,QAAA,MAAM,2BAA2B;;;;;;iBAM/B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;iBAOxB,CAAA;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;6BAIrB,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,SAAS;;;;;;;;;2BAYpB,CAAA;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA"}
1
+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,QAAA,MAAM,2BAA2B;;;;;iBAU3B,CAAA;AAEN,QAAA,MAAM,2BAA2B;;;;;;iBAM/B,CAAA;AAEF,QAAA,MAAM,oBAAoB;;;;;;;iBAOxB,CAAA;AAmBF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;6BAIrB,CAAA;AAEF,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;6BAI5B,CAAA;AAEF,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAC7C,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAC3D,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAC/E,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,SAAS;;;;;;;;;2BAYpB,CAAA;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAA"}
package/dist/index.cjs CHANGED
@@ -22,6 +22,34 @@ function jwtUserId(token) {
22
22
  }
23
23
  return sub;
24
24
  }
25
+ function jwtUserEmail(token) {
26
+ const { email } = jose.decodeJwt(token);
27
+ if (typeof email !== "string" || email.length === 0) {
28
+ return void 0;
29
+ }
30
+ return email;
31
+ }
32
+ async function fetchOidcUserInfo(configUrl, accessToken) {
33
+ const configResponse = await fetch(configUrl);
34
+ if (!configResponse.ok) {
35
+ throw new Error(
36
+ `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`
37
+ );
38
+ }
39
+ const config = await configResponse.json();
40
+ if (!config.userinfo_endpoint) {
41
+ return void 0;
42
+ }
43
+ const userInfoResponse = await fetch(config.userinfo_endpoint, {
44
+ headers: { Authorization: `Bearer ${accessToken}` }
45
+ });
46
+ if (!userInfoResponse.ok) {
47
+ throw new Error(
48
+ `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`
49
+ );
50
+ }
51
+ return await userInfoResponse.json();
52
+ }
25
53
  function jwtExpired(token) {
26
54
  try {
27
55
  const payload = jose.decodeJwt(token);
@@ -219,7 +247,12 @@ var AuthTokenProvider = class _AuthTokenProvider {
219
247
  async getAuthContext() {
220
248
  const accessToken = await this.getAccessToken();
221
249
  const userId = jwtUserId(accessToken);
222
- return { accessToken, userId };
250
+ const email = jwtUserEmail(accessToken);
251
+ return {
252
+ accessToken,
253
+ userId,
254
+ ...email ? { email } : {}
255
+ };
223
256
  }
224
257
  };
225
258
  var authorizationCodeAuthSchema = zod.z.object({
@@ -227,6 +260,8 @@ var authorizationCodeAuthSchema = zod.z.object({
227
260
  audience: zod.z.string(),
228
261
  scope: zod.z.string(),
229
262
  clientId: zod.z.string()
263
+ }).meta({
264
+ description: "Authorization code flow authentication configuration. This is used for browser-based application login."
230
265
  });
231
266
  var clientCredentialsAuthSchema = zod.z.object({
232
267
  method: zod.z.literal("client_credentials"),
@@ -243,11 +278,31 @@ var selfSignedAuthSchema = zod.z.object({
243
278
  clientId: zod.z.string(),
244
279
  clientSecret: zod.z.string()
245
280
  });
281
+ var clientCredentialsEnvAuthSchema = zod.z.object({
282
+ method: zod.z.literal("client_credentials"),
283
+ audience: zod.z.string(),
284
+ scope: zod.z.string(),
285
+ clientId: zod.z.string(),
286
+ clientSecretEnv: zod.z.string()
287
+ });
288
+ var selfSignedEnvAuthSchema = zod.z.object({
289
+ method: zod.z.literal("self_signed"),
290
+ issuer: zod.z.string(),
291
+ audience: zod.z.string(),
292
+ scope: zod.z.string(),
293
+ clientId: zod.z.string(),
294
+ clientSecretEnv: zod.z.string()
295
+ });
246
296
  var authSchema = zod.z.discriminatedUnion("method", [
247
297
  authorizationCodeAuthSchema,
248
298
  clientCredentialsAuthSchema,
249
299
  selfSignedAuthSchema
250
300
  ]);
301
+ var authFromEnvSchema = zod.z.discriminatedUnion("method", [
302
+ authorizationCodeAuthSchema,
303
+ clientCredentialsEnvAuthSchema,
304
+ selfSignedEnvAuthSchema
305
+ ]);
251
306
  var idpSchema = zod.z.discriminatedUnion("type", [
252
307
  zod.z.object({
253
308
  id: zod.z.string(),
@@ -265,10 +320,13 @@ var idpSchema = zod.z.discriminatedUnion("type", [
265
320
  exports.AuthTokenProvider = AuthTokenProvider;
266
321
  exports.ClientCredentialsService = ClientCredentialsService;
267
322
  exports.assertConnected = assertConnected;
323
+ exports.authFromEnvSchema = authFromEnvSchema;
268
324
  exports.authSchema = authSchema;
269
325
  exports.clientCredentialsService = clientCredentialsService;
326
+ exports.fetchOidcUserInfo = fetchOidcUserInfo;
270
327
  exports.idpSchema = idpSchema;
271
328
  exports.jwtExpired = jwtExpired;
329
+ exports.jwtUserEmail = jwtUserEmail;
272
330
  exports.jwtUserId = jwtUserId;
273
331
  //# sourceMappingURL=index.cjs.map
274
332
  //# sourceMappingURL=index.cjs.map
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":["providerErrors","decodeJwt","SignJWT","z"],"mappings":";;;;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAUA,eAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8BC,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\ntype TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
1
+ {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":["providerErrors","decodeJwt","SignJWT","z"],"mappings":";;;;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,aAAa,KAAA,EAAmC;AAC5D,EAAA,MAAM,EAAE,KAAA,EAAM,GAAIA,cAAA,CAAU,KAAK,CAAA;AAEjC,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,WAAW,CAAA,EAAG;AACjD,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACX;AAuCA,eAAsB,iBAAA,CAClB,WACA,WAAA,EACiC;AACjC,EAAA,MAAM,cAAA,GAAiB,MAAM,KAAA,CAAM,SAAS,CAAA;AAC5C,EAAA,IAAI,CAAC,eAAe,EAAA,EAAI;AACpB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,yCAAA,EAA4C,cAAA,CAAe,MAAM,CAAA,CAAA,EAAI,eAAe,UAAU,CAAA;AAAA,KAClG;AAAA,EACJ;AAEA,EAAA,MAAM,MAAA,GAAU,MAAM,cAAA,CAAe,IAAA,EAAK;AAG1C,EAAA,IAAI,CAAC,OAAO,iBAAA,EAAmB;AAC3B,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,MAAM,gBAAA,GAAmB,MAAM,KAAA,CAAM,MAAA,CAAO,iBAAA,EAAmB;AAAA,IAC3D,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,WAAW,CAAA,CAAA;AAAG,GACrD,CAAA;AACD,EAAA,IAAI,CAAC,iBAAiB,EAAA,EAAI;AACtB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,+BAAA,EAAkC,gBAAA,CAAiB,MAAM,CAAA,CAAA,EAAI,iBAAiB,UAAU,CAAA;AAAA,KAC5F;AAAA,EACJ;AAEA,EAAA,OAAQ,MAAM,iBAAiB,IAAA,EAAK;AACxC;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAUA,eAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC7HO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AACpC,IAAA,MAAM,KAAA,GAAQ,aAAa,WAAW,CAAA;AAEtC,IAAA,OAAO;AAAA,MACH,WAAA;AAAA,MACA,MAAA;AAAA,MACA,GAAI,KAAA,GAAQ,EAAE,KAAA,KAAU;AAAC,KAC7B;AAAA,EACJ;AACJ;ACzJA,IAAM,2BAAA,GAA8BC,MAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiCA,MAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0BA,MAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoBA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Extract the optional `email` claim from a JWT.\n *\n * @param token a base64 encoded JWT token\n * @returns email when present, otherwise undefined\n */\nexport function jwtUserEmail(token: string): string | undefined {\n const { email } = decodeJwt(token)\n\n if (typeof email !== 'string' || email.length === 0) {\n return undefined\n }\n\n return email\n}\n\n/**\n * Standard OIDC UserInfo claims as defined by OpenID Connect Core 1.0.\n * https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n */\nexport interface OidcUserInfo {\n sub: string\n name?: string\n given_name?: string\n family_name?: string\n middle_name?: string\n nickname?: string\n preferred_username?: string\n profile?: string\n picture?: string\n website?: string\n email?: string\n email_verified?: boolean\n gender?: string\n birthdate?: string\n zoneinfo?: string\n locale?: string\n phone_number?: string\n phone_number_verified?: boolean\n updated_at?: number\n address?: Record<string, string>\n [key: string]: unknown\n}\n\n/**\n * Fetches user claims from the OIDC UserInfo endpoint.\n * Discovers the endpoint via the OIDC discovery document at configUrl.\n *\n * @param configUrl - The OIDC discovery document URL (/.well-known/openid-configuration)\n * @param accessToken - The user's bearer access token\n * @returns The UserInfo claims, or undefined if the IDP does not expose a userinfo endpoint\n * @throws If any network request fails\n */\nexport async function fetchOidcUserInfo(\n configUrl: string,\n accessToken: string\n): Promise<OidcUserInfo | undefined> {\n const configResponse = await fetch(configUrl)\n if (!configResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`\n )\n }\n\n const config = (await configResponse.json()) as {\n userinfo_endpoint?: string\n }\n if (!config.userinfo_endpoint) {\n return undefined\n }\n\n const userInfoResponse = await fetch(config.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${accessToken}` },\n })\n if (!userInfoResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`\n )\n }\n\n return (await userInfoResponse.json()) as OidcUserInfo\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserEmail, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n const email = jwtUserEmail(accessToken)\n\n return {\n accessToken,\n userId,\n ...(email ? { email } : {}),\n }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
package/dist/index.js CHANGED
@@ -20,6 +20,34 @@ function jwtUserId(token) {
20
20
  }
21
21
  return sub;
22
22
  }
23
+ function jwtUserEmail(token) {
24
+ const { email } = decodeJwt(token);
25
+ if (typeof email !== "string" || email.length === 0) {
26
+ return void 0;
27
+ }
28
+ return email;
29
+ }
30
+ async function fetchOidcUserInfo(configUrl, accessToken) {
31
+ const configResponse = await fetch(configUrl);
32
+ if (!configResponse.ok) {
33
+ throw new Error(
34
+ `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`
35
+ );
36
+ }
37
+ const config = await configResponse.json();
38
+ if (!config.userinfo_endpoint) {
39
+ return void 0;
40
+ }
41
+ const userInfoResponse = await fetch(config.userinfo_endpoint, {
42
+ headers: { Authorization: `Bearer ${accessToken}` }
43
+ });
44
+ if (!userInfoResponse.ok) {
45
+ throw new Error(
46
+ `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`
47
+ );
48
+ }
49
+ return await userInfoResponse.json();
50
+ }
23
51
  function jwtExpired(token) {
24
52
  try {
25
53
  const payload = decodeJwt(token);
@@ -217,7 +245,12 @@ var AuthTokenProvider = class _AuthTokenProvider {
217
245
  async getAuthContext() {
218
246
  const accessToken = await this.getAccessToken();
219
247
  const userId = jwtUserId(accessToken);
220
- return { accessToken, userId };
248
+ const email = jwtUserEmail(accessToken);
249
+ return {
250
+ accessToken,
251
+ userId,
252
+ ...email ? { email } : {}
253
+ };
221
254
  }
222
255
  };
223
256
  var authorizationCodeAuthSchema = z.object({
@@ -225,6 +258,8 @@ var authorizationCodeAuthSchema = z.object({
225
258
  audience: z.string(),
226
259
  scope: z.string(),
227
260
  clientId: z.string()
261
+ }).meta({
262
+ description: "Authorization code flow authentication configuration. This is used for browser-based application login."
228
263
  });
229
264
  var clientCredentialsAuthSchema = z.object({
230
265
  method: z.literal("client_credentials"),
@@ -241,11 +276,31 @@ var selfSignedAuthSchema = z.object({
241
276
  clientId: z.string(),
242
277
  clientSecret: z.string()
243
278
  });
279
+ var clientCredentialsEnvAuthSchema = z.object({
280
+ method: z.literal("client_credentials"),
281
+ audience: z.string(),
282
+ scope: z.string(),
283
+ clientId: z.string(),
284
+ clientSecretEnv: z.string()
285
+ });
286
+ var selfSignedEnvAuthSchema = z.object({
287
+ method: z.literal("self_signed"),
288
+ issuer: z.string(),
289
+ audience: z.string(),
290
+ scope: z.string(),
291
+ clientId: z.string(),
292
+ clientSecretEnv: z.string()
293
+ });
244
294
  var authSchema = z.discriminatedUnion("method", [
245
295
  authorizationCodeAuthSchema,
246
296
  clientCredentialsAuthSchema,
247
297
  selfSignedAuthSchema
248
298
  ]);
299
+ var authFromEnvSchema = z.discriminatedUnion("method", [
300
+ authorizationCodeAuthSchema,
301
+ clientCredentialsEnvAuthSchema,
302
+ selfSignedEnvAuthSchema
303
+ ]);
249
304
  var idpSchema = z.discriminatedUnion("type", [
250
305
  z.object({
251
306
  id: z.string(),
@@ -260,6 +315,6 @@ var idpSchema = z.discriminatedUnion("type", [
260
315
  })
261
316
  ]);
262
317
 
263
- export { AuthTokenProvider, ClientCredentialsService, assertConnected, authSchema, clientCredentialsService, idpSchema, jwtExpired, jwtUserId };
318
+ export { AuthTokenProvider, ClientCredentialsService, assertConnected, authFromEnvSchema, authSchema, clientCredentialsService, fetchOidcUserInfo, idpSchema, jwtExpired, jwtUserEmail, jwtUserId };
264
319
  //# sourceMappingURL=index.js.map
265
320
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":[],"mappings":";;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAI,SAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,CAAA;AAED,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAOM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\ntype TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z.object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n})\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
1
+ {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":[],"mappings":";;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAI,SAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,aAAa,KAAA,EAAmC;AAC5D,EAAA,MAAM,EAAE,KAAA,EAAM,GAAI,SAAA,CAAU,KAAK,CAAA;AAEjC,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,WAAW,CAAA,EAAG;AACjD,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACX;AAuCA,eAAsB,iBAAA,CAClB,WACA,WAAA,EACiC;AACjC,EAAA,MAAM,cAAA,GAAiB,MAAM,KAAA,CAAM,SAAS,CAAA;AAC5C,EAAA,IAAI,CAAC,eAAe,EAAA,EAAI;AACpB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,yCAAA,EAA4C,cAAA,CAAe,MAAM,CAAA,CAAA,EAAI,eAAe,UAAU,CAAA;AAAA,KAClG;AAAA,EACJ;AAEA,EAAA,MAAM,MAAA,GAAU,MAAM,cAAA,CAAe,IAAA,EAAK;AAG1C,EAAA,IAAI,CAAC,OAAO,iBAAA,EAAmB;AAC3B,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,MAAM,gBAAA,GAAmB,MAAM,KAAA,CAAM,MAAA,CAAO,iBAAA,EAAmB;AAAA,IAC3D,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,WAAW,CAAA,CAAA;AAAG,GACrD,CAAA;AACD,EAAA,IAAI,CAAC,iBAAiB,EAAA,EAAI;AACtB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,+BAAA,EAAkC,gBAAA,CAAiB,MAAM,CAAA,CAAA,EAAI,iBAAiB,UAAU,CAAA;AAAA,KAC5F;AAAA,EACJ;AAEA,EAAA,OAAQ,MAAM,iBAAiB,IAAA,EAAK;AACxC;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC7HO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AACpC,IAAA,MAAM,KAAA,GAAQ,aAAa,WAAW,CAAA;AAEtC,IAAA,OAAO;AAAA,MACH,WAAA;AAAA,MACA,MAAA;AAAA,MACA,GAAI,KAAA,GAAQ,EAAE,KAAA,KAAU;AAAC,KAC7B;AAAA,EACJ;AACJ;ACzJA,IAAM,2BAAA,GAA8B,EAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiC,EAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoB,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Extract the optional `email` claim from a JWT.\n *\n * @param token a base64 encoded JWT token\n * @returns email when present, otherwise undefined\n */\nexport function jwtUserEmail(token: string): string | undefined {\n const { email } = decodeJwt(token)\n\n if (typeof email !== 'string' || email.length === 0) {\n return undefined\n }\n\n return email\n}\n\n/**\n * Standard OIDC UserInfo claims as defined by OpenID Connect Core 1.0.\n * https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n */\nexport interface OidcUserInfo {\n sub: string\n name?: string\n given_name?: string\n family_name?: string\n middle_name?: string\n nickname?: string\n preferred_username?: string\n profile?: string\n picture?: string\n website?: string\n email?: string\n email_verified?: boolean\n gender?: string\n birthdate?: string\n zoneinfo?: string\n locale?: string\n phone_number?: string\n phone_number_verified?: boolean\n updated_at?: number\n address?: Record<string, string>\n [key: string]: unknown\n}\n\n/**\n * Fetches user claims from the OIDC UserInfo endpoint.\n * Discovers the endpoint via the OIDC discovery document at configUrl.\n *\n * @param configUrl - The OIDC discovery document URL (/.well-known/openid-configuration)\n * @param accessToken - The user's bearer access token\n * @returns The UserInfo claims, or undefined if the IDP does not expose a userinfo endpoint\n * @throws If any network request fails\n */\nexport async function fetchOidcUserInfo(\n configUrl: string,\n accessToken: string\n): Promise<OidcUserInfo | undefined> {\n const configResponse = await fetch(configUrl)\n if (!configResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`\n )\n }\n\n const config = (await configResponse.json()) as {\n userinfo_endpoint?: string\n }\n if (!config.userinfo_endpoint) {\n return undefined\n }\n\n const userInfoResponse = await fetch(config.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${accessToken}` },\n })\n if (!userInfoResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`\n )\n }\n\n return (await userInfoResponse.json()) as OidcUserInfo\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserEmail, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n const email = jwtUserEmail(accessToken)\n\n return {\n accessToken,\n userId,\n ...(email ? { email } : {}),\n }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@canton-network/core-wallet-auth",
3
- "version": "0.23.1",
3
+ "version": "0.24.1",
4
4
  "type": "module",
5
5
  "description": "Provides authentication middleware and user management for the Wallet Gateway",
6
6
  "license": "Apache-2.0",
@@ -36,8 +36,8 @@
36
36
  "typescript": "^5.9.3"
37
37
  },
38
38
  "dependencies": {
39
- "@canton-network/core-rpc-errors": "^0.18.2",
40
- "@canton-network/core-types": "^0.22.1",
39
+ "@canton-network/core-rpc-errors": "^0.19.1",
40
+ "@canton-network/core-types": "^0.23.1",
41
41
  "jose": "^6.1.3",
42
42
  "zod": "^4.3.6"
43
43
  },