@canton-network/core-wallet-auth 0.24.0 → 0.24.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/auth-service.d.ts +1 -0
  2. package/dist/auth-service.d.ts.map +1 -1
  3. package/dist/auth-token-provider.d.ts.map +1 -1
  4. package/dist/auth-utils.d.ts +44 -0
  5. package/dist/auth-utils.d.ts.map +1 -1
  6. package/dist/index.cjs +36 -1
  7. package/dist/index.cjs.map +1 -1
  8. package/dist/index.js +35 -2
  9. package/dist/index.js.map +1 -1
  10. package/package.json +3 -3
package/dist/auth-service.d.ts CHANGED
@@ -5,6 +5,7 @@ export type UserId = string;
5
5
  export interface AuthContext {
6
6
  userId: UserId;
7
7
  accessToken: string;
8
+ email?: string;
8
9
  }
9
10
  /**
10
11
  * Interface for types that are aware of authentication context
package/dist/auth-service.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../src/auth-service.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,MAAM,GAAG,MAAM,CAAA;AAE3B;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC;IACxB,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;IACpC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE,WAAW,KAAK,CAAC,CAAA;CAChD;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAAA;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IACjC,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,UAAU;IACvB,cAAc,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,iBAAiB;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;IACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC/B"}
1
+ {"version":3,"file":"auth-service.d.ts","sourceRoot":"","sources":["../src/auth-service.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,MAAM,GAAG,MAAM,CAAA;AAE3B;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC;IACxB,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;IACpC,eAAe,EAAE,CAAC,OAAO,CAAC,EAAE,WAAW,KAAK,CAAC,CAAA;CAChD;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAAA;CACtE;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IACjC,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC,CAAA;CACzC;AAED,MAAM,WAAW,UAAU;IACvB,cAAc,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,iBAAiB;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;IACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;CAC/B"}
package/dist/auth-token-provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EACH,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EACpB,MAAM,gBAAgB,CAAA;AAIvB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE3C,MAAM,MAAM,mBAAmB,GACzB;IACI,MAAM,EAAE,QAAQ,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;CAChB,GACD;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,iBAAiB,CAAA;CACjC,GACD;IACI,MAAM,EAAE,oBAAoB,CAAA;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,iBAAiB,CAAA;CACjC,CAAA;AAEP;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAIrD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;IAC9C,SAAS,CAAC,MAAM,EAAE,MAAM;IAJ5B,OAAO,CAAC,WAAW,CAAoB;gBAGhB,MAAM,EAAE,mBAAmB,EACpC,MAAM,EAAE,MAAM;IAG5B,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB;IAIlE,MAAM,CAAC,iBAAiB,CACpB,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,GACf,iBAAiB;YA4CN,WAAW;IAoBzB;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAgB9C;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAMtD"}
1
+ {"version":3,"file":"auth-token-provider.d.ts","sourceRoot":"","sources":["../src/auth-token-provider.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EACH,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EACpB,MAAM,gBAAgB,CAAA;AAIvB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE3C,MAAM,MAAM,mBAAmB,GACzB;IACI,MAAM,EAAE,QAAQ,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;CAChB,GACD;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,WAAW,EAAE,iBAAiB,CAAA;CACjC,GACD;IACI,MAAM,EAAE,oBAAoB,CAAA;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,iBAAiB,CAAA;CACjC,CAAA;AAEP;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAkB,YAAW,mBAAmB;IAIrD,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;IAC9C,SAAS,CAAC,MAAM,EAAE,MAAM;IAJ5B,OAAO,CAAC,WAAW,CAAoB;gBAGhB,MAAM,EAAE,mBAAmB,EACpC,MAAM,EAAE,MAAM;IAG5B,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB;IAIlE,MAAM,CAAC,iBAAiB,CACpB,GAAG,EAAE,GAAG,EACR,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,MAAM,GACf,iBAAiB;YA4CN,WAAW;IAoBzB;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC;IAgB9C;;;OAGG;IACU,cAAc,IAAI,OAAO,CAAC,WAAW,CAAC;CAWtD"}
package/dist/auth-utils.d.ts CHANGED
@@ -7,6 +7,50 @@ export declare function assertConnected(authContext: AuthContext | undefined): A
7
7
  * @returns
8
8
  */
9
9
  export declare function jwtUserId(token: string): string;
10
+ /**
11
+ * Extract the optional `email` claim from a JWT.
12
+ *
13
+ * @param token a base64 encoded JWT token
14
+ * @returns email when present, otherwise undefined
15
+ */
16
+ export declare function jwtUserEmail(token: string): string | undefined;
17
+ /**
18
+ * Standard OIDC UserInfo claims as defined by OpenID Connect Core 1.0.
19
+ * https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
20
+ */
21
+ export interface OidcUserInfo {
22
+ sub: string;
23
+ name?: string;
24
+ given_name?: string;
25
+ family_name?: string;
26
+ middle_name?: string;
27
+ nickname?: string;
28
+ preferred_username?: string;
29
+ profile?: string;
30
+ picture?: string;
31
+ website?: string;
32
+ email?: string;
33
+ email_verified?: boolean;
34
+ gender?: string;
35
+ birthdate?: string;
36
+ zoneinfo?: string;
37
+ locale?: string;
38
+ phone_number?: string;
39
+ phone_number_verified?: boolean;
40
+ updated_at?: number;
41
+ address?: Record<string, string>;
42
+ [key: string]: unknown;
43
+ }
44
+ /**
45
+ * Fetches user claims from the OIDC UserInfo endpoint.
46
+ * Discovers the endpoint via the OIDC discovery document at configUrl.
47
+ *
48
+ * @param configUrl - The OIDC discovery document URL (/.well-known/openid-configuration)
49
+ * @param accessToken - The user's bearer access token
50
+ * @returns The UserInfo claims, or undefined if the IDP does not expose a userinfo endpoint
51
+ * @throws If any network request fails
52
+ */
53
+ export declare function fetchOidcUserInfo(configUrl: string, accessToken: string): Promise<OidcUserInfo | undefined>;
10
54
  /**
11
55
  * Determine if a given JWT is still valid based on its expiry time.
12
56
  *
package/dist/auth-utils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-utils.d.ts","sourceRoot":"","sources":["../src/auth-utils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAG5C,wBAAgB,eAAe,CAC3B,WAAW,EAAE,WAAW,GAAG,SAAS,GACrC,WAAW,CAOb;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ/C;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQjD"}
1
+ {"version":3,"file":"auth-utils.d.ts","sourceRoot":"","sources":["../src/auth-utils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAG5C,wBAAgB,eAAe,CAC3B,WAAW,EAAE,WAAW,GAAG,SAAS,GACrC,WAAW,CAOb;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQ/C;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQ9D;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACzB;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACnC,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,GACpB,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAyBnC;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQjD"}
package/dist/index.cjs CHANGED
@@ -22,6 +22,34 @@ function jwtUserId(token) {
22
22
  }
23
23
  return sub;
24
24
  }
25
+ function jwtUserEmail(token) {
26
+ const { email } = jose.decodeJwt(token);
27
+ if (typeof email !== "string" || email.length === 0) {
28
+ return void 0;
29
+ }
30
+ return email;
31
+ }
32
+ async function fetchOidcUserInfo(configUrl, accessToken) {
33
+ const configResponse = await fetch(configUrl);
34
+ if (!configResponse.ok) {
35
+ throw new Error(
36
+ `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`
37
+ );
38
+ }
39
+ const config = await configResponse.json();
40
+ if (!config.userinfo_endpoint) {
41
+ return void 0;
42
+ }
43
+ const userInfoResponse = await fetch(config.userinfo_endpoint, {
44
+ headers: { Authorization: `Bearer ${accessToken}` }
45
+ });
46
+ if (!userInfoResponse.ok) {
47
+ throw new Error(
48
+ `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`
49
+ );
50
+ }
51
+ return await userInfoResponse.json();
52
+ }
25
53
  function jwtExpired(token) {
26
54
  try {
27
55
  const payload = jose.decodeJwt(token);
@@ -219,7 +247,12 @@ var AuthTokenProvider = class _AuthTokenProvider {
219
247
  async getAuthContext() {
220
248
  const accessToken = await this.getAccessToken();
221
249
  const userId = jwtUserId(accessToken);
222
- return { accessToken, userId };
250
+ const email = jwtUserEmail(accessToken);
251
+ return {
252
+ accessToken,
253
+ userId,
254
+ ...email ? { email } : {}
255
+ };
223
256
  }
224
257
  };
225
258
  var authorizationCodeAuthSchema = zod.z.object({
@@ -290,8 +323,10 @@ exports.assertConnected = assertConnected;
290
323
  exports.authFromEnvSchema = authFromEnvSchema;
291
324
  exports.authSchema = authSchema;
292
325
  exports.clientCredentialsService = clientCredentialsService;
326
+ exports.fetchOidcUserInfo = fetchOidcUserInfo;
293
327
  exports.idpSchema = idpSchema;
294
328
  exports.jwtExpired = jwtExpired;
329
+ exports.jwtUserEmail = jwtUserEmail;
295
330
  exports.jwtUserId = jwtUserId;
296
331
  //# sourceMappingURL=index.cjs.map
297
332
  //# sourceMappingURL=index.cjs.map
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":["providerErrors","decodeJwt","SignJWT","z"],"mappings":";;;;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAUA,eAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8BC,MAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiCA,MAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0BA,MAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoBA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
1
+ {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":["providerErrors","decodeJwt","SignJWT","z"],"mappings":";;;;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAMA,6BAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAIC,cAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,aAAa,KAAA,EAAmC;AAC5D,EAAA,MAAM,EAAE,KAAA,EAAM,GAAIA,cAAA,CAAU,KAAK,CAAA;AAEjC,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,WAAW,CAAA,EAAG;AACjD,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACX;AAuCA,eAAsB,iBAAA,CAClB,WACA,WAAA,EACiC;AACjC,EAAA,MAAM,cAAA,GAAiB,MAAM,KAAA,CAAM,SAAS,CAAA;AAC5C,EAAA,IAAI,CAAC,eAAe,EAAA,EAAI;AACpB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,yCAAA,EAA4C,cAAA,CAAe,MAAM,CAAA,CAAA,EAAI,eAAe,UAAU,CAAA;AAAA,KAClG;AAAA,EACJ;AAEA,EAAA,MAAM,MAAA,GAAU,MAAM,cAAA,CAAe,IAAA,EAAK;AAG1C,EAAA,IAAI,CAAC,OAAO,iBAAA,EAAmB;AAC3B,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,MAAM,gBAAA,GAAmB,MAAM,KAAA,CAAM,MAAA,CAAO,iBAAA,EAAmB;AAAA,IAC3D,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,WAAW,CAAA,CAAA;AAAG,GACrD,CAAA;AACD,EAAA,IAAI,CAAC,iBAAiB,EAAA,EAAI;AACtB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,+BAAA,EAAkC,gBAAA,CAAiB,MAAM,CAAA,CAAA,EAAI,iBAAiB,UAAU,CAAA;AAAA,KAC5F;AAAA,EACJ;AAEA,EAAA,OAAQ,MAAM,iBAAiB,IAAA,EAAK;AACxC;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAUA,eAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC7HO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAIC,YAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AACpC,IAAA,MAAM,KAAA,GAAQ,aAAa,WAAW,CAAA;AAEtC,IAAA,OAAO;AAAA,MACH,WAAA;AAAA,MACA,MAAA;AAAA,MACA,GAAI,KAAA,GAAQ,EAAE,KAAA,KAAU;AAAC,KAC7B;AAAA,EACJ;AACJ;ACzJA,IAAM,2BAAA,GAA8BC,MAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8BA,MAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuBA,MAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAcA,MAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiCA,MAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0BA,MAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAOA,MAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAUA,MAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiBA,MAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAaA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoBA,KAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAYA,KAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQA,MAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACDA,MAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAIA,MAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAMA,KAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQA,MAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAWA,KAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.cjs","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Extract the optional `email` claim from a JWT.\n *\n * @param token a base64 encoded JWT token\n * @returns email when present, otherwise undefined\n */\nexport function jwtUserEmail(token: string): string | undefined {\n const { email } = decodeJwt(token)\n\n if (typeof email !== 'string' || email.length === 0) {\n return undefined\n }\n\n return email\n}\n\n/**\n * Standard OIDC UserInfo claims as defined by OpenID Connect Core 1.0.\n * https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n */\nexport interface OidcUserInfo {\n sub: string\n name?: string\n given_name?: string\n family_name?: string\n middle_name?: string\n nickname?: string\n preferred_username?: string\n profile?: string\n picture?: string\n website?: string\n email?: string\n email_verified?: boolean\n gender?: string\n birthdate?: string\n zoneinfo?: string\n locale?: string\n phone_number?: string\n phone_number_verified?: boolean\n updated_at?: number\n address?: Record<string, string>\n [key: string]: unknown\n}\n\n/**\n * Fetches user claims from the OIDC UserInfo endpoint.\n * Discovers the endpoint via the OIDC discovery document at configUrl.\n *\n * @param configUrl - The OIDC discovery document URL (/.well-known/openid-configuration)\n * @param accessToken - The user's bearer access token\n * @returns The UserInfo claims, or undefined if the IDP does not expose a userinfo endpoint\n * @throws If any network request fails\n */\nexport async function fetchOidcUserInfo(\n configUrl: string,\n accessToken: string\n): Promise<OidcUserInfo | undefined> {\n const configResponse = await fetch(configUrl)\n if (!configResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`\n )\n }\n\n const config = (await configResponse.json()) as {\n userinfo_endpoint?: string\n }\n if (!config.userinfo_endpoint) {\n return undefined\n }\n\n const userInfoResponse = await fetch(config.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${accessToken}` },\n })\n if (!userInfoResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`\n )\n }\n\n return (await userInfoResponse.json()) as OidcUserInfo\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserEmail, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n const email = jwtUserEmail(accessToken)\n\n return {\n accessToken,\n userId,\n ...(email ? { email } : {}),\n }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
package/dist/index.js CHANGED
@@ -20,6 +20,34 @@ function jwtUserId(token) {
20
20
  }
21
21
  return sub;
22
22
  }
23
+ function jwtUserEmail(token) {
24
+ const { email } = decodeJwt(token);
25
+ if (typeof email !== "string" || email.length === 0) {
26
+ return void 0;
27
+ }
28
+ return email;
29
+ }
30
+ async function fetchOidcUserInfo(configUrl, accessToken) {
31
+ const configResponse = await fetch(configUrl);
32
+ if (!configResponse.ok) {
33
+ throw new Error(
34
+ `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`
35
+ );
36
+ }
37
+ const config = await configResponse.json();
38
+ if (!config.userinfo_endpoint) {
39
+ return void 0;
40
+ }
41
+ const userInfoResponse = await fetch(config.userinfo_endpoint, {
42
+ headers: { Authorization: `Bearer ${accessToken}` }
43
+ });
44
+ if (!userInfoResponse.ok) {
45
+ throw new Error(
46
+ `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`
47
+ );
48
+ }
49
+ return await userInfoResponse.json();
50
+ }
23
51
  function jwtExpired(token) {
24
52
  try {
25
53
  const payload = decodeJwt(token);
@@ -217,7 +245,12 @@ var AuthTokenProvider = class _AuthTokenProvider {
217
245
  async getAuthContext() {
218
246
  const accessToken = await this.getAccessToken();
219
247
  const userId = jwtUserId(accessToken);
220
- return { accessToken, userId };
248
+ const email = jwtUserEmail(accessToken);
249
+ return {
250
+ accessToken,
251
+ userId,
252
+ ...email ? { email } : {}
253
+ };
221
254
  }
222
255
  };
223
256
  var authorizationCodeAuthSchema = z.object({
@@ -282,6 +315,6 @@ var idpSchema = z.discriminatedUnion("type", [
282
315
  })
283
316
  ]);
284
317
 
285
- export { AuthTokenProvider, ClientCredentialsService, assertConnected, authFromEnvSchema, authSchema, clientCredentialsService, idpSchema, jwtExpired, jwtUserId };
318
+ export { AuthTokenProvider, ClientCredentialsService, assertConnected, authFromEnvSchema, authSchema, clientCredentialsService, fetchOidcUserInfo, idpSchema, jwtExpired, jwtUserEmail, jwtUserId };
286
319
  //# sourceMappingURL=index.js.map
287
320
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":[],"mappings":";;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAI,SAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC1CO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AAEpC,IAAA,OAAO,EAAE,aAAa,MAAA,EAAO;AAAA,EACjC;AACJ;ACpJA,IAAM,2BAAA,GAA8B,EAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiC,EAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoB,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n\n return { accessToken, userId }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
1
+ {"version":3,"sources":["../src/auth-utils.ts","../src/client-credentials-service.ts","../src/self-signed-token-service.ts","../src/auth-token-provider.ts","../src/config/schema.ts"],"names":[],"mappings":";;;;;;;AAOO,SAAS,gBACZ,WAAA,EACW;AACX,EAAA,IAAI,CAAC,WAAA,EAAa;AACd,IAAA,MAAM,eAAe,YAAA,CAAa;AAAA,MAC9B,OAAA,EAAS;AAAA,KACZ,CAAA;AAAA,EACL;AACA,EAAA,OAAO,WAAA;AACX;AAQO,SAAS,UAAU,KAAA,EAAuB;AAC7C,EAAA,MAAM,EAAE,GAAA,EAAI,GAAI,SAAA,CAAU,KAAK,CAAA;AAE/B,EAAA,IAAI,CAAC,GAAA,EAAK;AACN,IAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,GAAA;AACX;AAQO,SAAS,aAAa,KAAA,EAAmC;AAC5D,EAAA,MAAM,EAAE,KAAA,EAAM,GAAI,SAAA,CAAU,KAAK,CAAA;AAEjC,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,WAAW,CAAA,EAAG;AACjD,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,OAAO,KAAA;AACX;AAuCA,eAAsB,iBAAA,CAClB,WACA,WAAA,EACiC;AACjC,EAAA,MAAM,cAAA,GAAiB,MAAM,KAAA,CAAM,SAAS,CAAA;AAC5C,EAAA,IAAI,CAAC,eAAe,EAAA,EAAI;AACpB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,yCAAA,EAA4C,cAAA,CAAe,MAAM,CAAA,CAAA,EAAI,eAAe,UAAU,CAAA;AAAA,KAClG;AAAA,EACJ;AAEA,EAAA,MAAM,MAAA,GAAU,MAAM,cAAA,CAAe,IAAA,EAAK;AAG1C,EAAA,IAAI,CAAC,OAAO,iBAAA,EAAmB;AAC3B,IAAA,OAAO,MAAA;AAAA,EACX;AAEA,EAAA,MAAM,gBAAA,GAAmB,MAAM,KAAA,CAAM,MAAA,CAAO,iBAAA,EAAmB;AAAA,IAC3D,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,WAAW,CAAA,CAAA;AAAG,GACrD,CAAA;AACD,EAAA,IAAI,CAAC,iBAAiB,EAAA,EAAI;AACtB,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,+BAAA,EAAkC,gBAAA,CAAiB,MAAM,CAAA,CAAA,EAAI,iBAAiB,UAAU,CAAA;AAAA,KAC5F;AAAA,EACJ;AAEA,EAAA,OAAQ,MAAM,iBAAiB,IAAA,EAAK;AACxC;AAQO,SAAS,WAAW,KAAA,EAAwB;AAC/C,EAAA,IAAI;AACA,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK,CAAA;AAC/B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,IAAO,GAAA;AAAA,EAC7D,CAAA,CAAA,MAAQ;AACJ,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC7HO,IAAM,2BAAN,MAA+B;AAAA,EAClC,WAAA,CACY,WACA,MAAA,EACV;AAFU,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQH,MAAM,WAAW,WAAA,EAAiD;AAC9D,IAAA,IAAI;AACA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,SAAS,CAAA;AAC1D,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,EAAE,UAAA,IAAc,qBAAqB,CAAA;AAExD,MAAA,MAAM,GAAA,GAAgB,MAAM,IAAA,CAAK,kBAAA;AAAA,QAC7B,UAAA,CAAW,cAAA;AAAA,QACX;AAAA,OACJ;AACA,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAE5B,MAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AAAA,QACT,EAAE,UAAU,IAAA,EAAK;AAAA,QACjB,CAAA,kCAAA,EAAqC,YAAY,QAAQ,CAAA;AAAA,OAC7D;AAEA,MAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACpB,QAAA,MAAM,IAAI,MAAM,4CAA4C,CAAA;AAAA,MAChE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IAChB,SAAS,KAAA,EAAO;AACZ,MAAA,IAAA,CAAK,QAAQ,KAAA,CAAM,EAAE,GAAA,EAAK,KAAA,IAAS,6BAA6B,CAAA;AAChE,MAAA,MAAM,KAAA;AAAA,IACV;AAAA,EACJ;AAAA,EAEA,MAAM,kBAAA,CACF,aAAA,EACA,WAAA,EACiB;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,WAAW,WAAA,CAAY,QAAA;AAAA,MACvB,eAAe,WAAA,CAAY,YAAA;AAAA,MAC3B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,QAAA,EAAU,YAAY,QAAA,IAAY;AAAA,KACrC,CAAA;AAED,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,aAAA,EAAe;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,OAAO,QAAA;AAAS,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAI,UAAA,EAAW;AAAA,QACjD;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,sBAAA,EAAyB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACzD;AAAA,IACJ;AAEA,IAAA,OAAO,GAAA;AAAA,EACX;AAAA,EAEA,MAAM,cAAc,GAAA,EAAkC;AAClD,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AAAA,QACT,EAAE,QAAQ,GAAA,CAAI,MAAA,EAAQ,YAAY,GAAA,CAAI,UAAA,EAAY,MAAM,IAAA,EAAK;AAAA,QAC7D;AAAA,OACJ;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACN,CAAA,mBAAA,EAAsB,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,UAAU,CAAA;AAAA,OACtD;AAAA,IACJ;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EACpB;AACJ;AAEO,IAAM,wBAAA,GAA2B,CACpC,SAAA,EACA,MAAA,MACE;AAAA,EACF,UAAA,EAAY,OAAO,WAAA,KACf,IAAI,yBAAyB,SAAA,EAAW,MAAM,CAAA,CAAE,UAAA,CAAW,WAAW;AAC9E,CAAA;AC3FO,IAAM,yBAAN,MAA6B;AAAA,EAChC,aAAa,UAAA,CACT,MAAA,EACA,WAAA,EACA,MAAA,EACA,gBAAwB,IAAA,EACT;AACf,IAAA,MAAM,SAAS,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,YAAY,CAAA;AAChE,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAI,OAAA,CAAQ;AAAA,MAC1B,KAAK,WAAA,CAAY,QAAA;AAAA,MACjB,GAAA,EAAK,YAAY,QAAA,IAAY,EAAA;AAAA,MAC7B,KAAA,EAAO,YAAY,KAAA,IAAS,EAAA;AAAA,MAC5B,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,aAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACR,EACI,kBAAA,CAAmB,EAAE,KAAK,OAAA,EAAS,CAAA,CACnC,IAAA,CAAK,MAAM,CAAA;AAEhB,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AACrD,IAAA,OAAO,GAAA;AAAA,EACX;AACJ,CAAA;;;ACaO,IAAM,iBAAA,GAAN,MAAM,kBAAA,CAAiD;AAAA,EAG1D,WAAA,CACuB,QACT,MAAA,EACZ;AAFqB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACT,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAJd,IAAA,aAAA,CAAA,IAAA,EAAQ,aAAA,CAAA;AAAA,EAKL;AAAA,EAEH,OAAO,SAAA,CAAU,KAAA,EAAe,MAAA,EAAmC;AAC/D,IAAA,OAAO,IAAI,kBAAA,CAAkB,EAAE,QAAQ,QAAA,EAAU,KAAA,IAAS,MAAM,CAAA;AAAA,EACpE;AAAA,EAEA,OAAO,iBAAA,CACH,GAAA,EACA,IAAA,EACA,MAAA,EACiB;AACjB,IAAA,IAAI,IAAA,CAAK,WAAW,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAI,kBAAA;AAAA,QACP;AAAA,UACI,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,WAAA,EAAa;AAAA,YACT,UAAU,IAAA,CAAK,QAAA;AAAA,YACf,cAAc,IAAA,CAAK,YAAA;AAAA,YACnB,OAAO,IAAA,CAAK,KAAA;AAAA,YACZ,UAAU,IAAA,CAAK;AAAA;AACnB,SACJ;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,oBAAA,EAAsB;AACtC,MAAA,IAAI,IAAI,IAAA,KAAS,OAAA;AACb,QAAA,OAAO,IAAI,kBAAA;AAAA,UACP;AAAA,YACI,QAAQ,IAAA,CAAK,MAAA;AAAA,YACb,WAAW,GAAA,CAAI,SAAA;AAAA,YACf,WAAA,EAAa;AAAA,cACT,UAAU,IAAA,CAAK,QAAA;AAAA,cACf,cAAc,IAAA,CAAK,YAAA;AAAA,cACnB,OAAO,IAAA,CAAK,KAAA;AAAA,cACZ,UAAU,IAAA,CAAK;AAAA;AACnB,WACJ;AAAA,UACA;AAAA,SACJ;AAAA,WACC;AACD,QAAA,MAAM,IAAI,KAAA;AAAA,UACN,CAAA,SAAA,EAAY,IAAI,IAAI,CAAA,0CAAA;AAAA,SACxB;AAAA,MACJ;AAAA,IACJ;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACN,CAAA,YAAA,EAAe,KAAK,MAAM,CAAA,4CAAA;AAAA,KAC9B;AAAA,EACJ;AAAA,EAEA,MAAc,WAAA,GAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,0BAA0B,CAAA;AAE5C,IAAA,QAAQ,IAAA,CAAK,OAAO,MAAA;AAAQ,MACxB,KAAK,QAAA;AACD,QAAA,OAAO,KAAK,MAAA,CAAO,KAAA;AAAA,MACvB,KAAK,aAAA;AACD,QAAA,OAAO,sBAAA,CAAuB,UAAA;AAAA,UAC1B,IAAA,CAAK,MAAA;AAAA,UACL,KAAK,MAAA,CAAO,WAAA;AAAA,UACZ,KAAK,MAAA,CAAO;AAAA,SAChB;AAAA,MACJ,KAAK,oBAAA;AACD,QAAA,OAAO,wBAAA;AAAA,UACH,KAAK,MAAA,CAAO,SAAA;AAAA,UACZ,IAAA,CAAK;AAAA,SACT,CAAE,UAAA,CAAW,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA;AAAA;AAC5C,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAkC;AAC3C,IAAA,IAAI,KAAK,WAAA,IAAe,CAAC,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IAChB,CAAA,MAAO;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,WAAA,EAAY;AACxC,MAAA,IAAI,UAAA,CAAW,QAAQ,CAAA,EAAG;AACtB,QAAA,MAAM,IAAI,KAAA;AAAA,UACN;AAAA,SACJ;AAAA,MACJ;AAEA,MAAA,IAAA,CAAK,WAAA,GAAc,QAAA;AACnB,MAAA,OAAO,QAAA;AAAA,IACX;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,cAAA,GAAuC;AAChD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,MAAM,MAAA,GAAS,UAAU,WAAW,CAAA;AACpC,IAAA,MAAM,KAAA,GAAQ,aAAa,WAAW,CAAA;AAEtC,IAAA,OAAO;AAAA,MACH,WAAA;AAAA,MACA,MAAA;AAAA,MACA,GAAI,KAAA,GAAQ,EAAE,KAAA,KAAU;AAAC,KAC7B;AAAA,EACJ;AACJ;ACzJA,IAAM,2BAAA,GAA8B,EAC/B,MAAA,CAAO;AAAA,EACJ,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA;AAChB,CAAC,EACA,IAAA,CAAK;AAAA,EACF,WAAA,EACI;AACR,CAAC,CAAA;AAEL,IAAM,2BAAA,GAA8B,EAAE,MAAA,CAAO;AAAA,EACzC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,oBAAA,GAAuB,EAAE,MAAA,CAAO;AAAA,EAClC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,YAAA,EAAc,EAAE,MAAA;AACpB,CAAC,CAAA;AAED,IAAM,8BAAA,GAAiC,EAAE,MAAA,CAAO;AAAA,EAC5C,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EACtC,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAED,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EACrC,MAAA,EAAQ,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,EACjB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,KAAA,EAAO,EAAE,MAAA,EAAO;AAAA,EAChB,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,EACnB,eAAA,EAAiB,EAAE,MAAA;AACvB,CAAC,CAAA;AAEM,IAAM,UAAA,GAAa,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EACrD,2BAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACJ,CAAC;AAEM,IAAM,iBAAA,GAAoB,CAAA,CAAE,kBAAA,CAAmB,QAAA,EAAU;AAAA,EAC5D,2BAAA;AAAA,EACA,8BAAA;AAAA,EACA;AACJ,CAAC;AAQM,IAAM,SAAA,GAAY,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EAClD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,aAAa,CAAA;AAAA,IAC7B,MAAA,EAAQ,EAAE,MAAA;AAAO,GACpB,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACL,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,IACb,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,IACvB,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,SAAA,EAAW,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA;AAAI,GAC7B;AACL,CAAC","file":"index.js","sourcesContent":["// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { decodeJwt } from 'jose'\nimport { AuthContext } from './auth-service'\nimport { providerErrors } from '@canton-network/core-rpc-errors'\n\nexport function assertConnected(\n authContext: AuthContext | undefined\n): AuthContext {\n if (!authContext) {\n throw providerErrors.unauthorized({\n message: 'User is not connected',\n })\n }\n return authContext\n}\n\n/**\n * Extract a User ID from the `sub` claim of a JWT. Throws if `sub` is missing.\n *\n * @param token a base64 encoded JWT token\n * @returns\n */\nexport function jwtUserId(token: string): string {\n const { sub } = decodeJwt(token)\n\n if (!sub) {\n throw new Error('token did not contain a subject field')\n }\n\n return sub\n}\n\n/**\n * Extract the optional `email` claim from a JWT.\n *\n * @param token a base64 encoded JWT token\n * @returns email when present, otherwise undefined\n */\nexport function jwtUserEmail(token: string): string | undefined {\n const { email } = decodeJwt(token)\n\n if (typeof email !== 'string' || email.length === 0) {\n return undefined\n }\n\n return email\n}\n\n/**\n * Standard OIDC UserInfo claims as defined by OpenID Connect Core 1.0.\n * https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n */\nexport interface OidcUserInfo {\n sub: string\n name?: string\n given_name?: string\n family_name?: string\n middle_name?: string\n nickname?: string\n preferred_username?: string\n profile?: string\n picture?: string\n website?: string\n email?: string\n email_verified?: boolean\n gender?: string\n birthdate?: string\n zoneinfo?: string\n locale?: string\n phone_number?: string\n phone_number_verified?: boolean\n updated_at?: number\n address?: Record<string, string>\n [key: string]: unknown\n}\n\n/**\n * Fetches user claims from the OIDC UserInfo endpoint.\n * Discovers the endpoint via the OIDC discovery document at configUrl.\n *\n * @param configUrl - The OIDC discovery document URL (/.well-known/openid-configuration)\n * @param accessToken - The user's bearer access token\n * @returns The UserInfo claims, or undefined if the IDP does not expose a userinfo endpoint\n * @throws If any network request fails\n */\nexport async function fetchOidcUserInfo(\n configUrl: string,\n accessToken: string\n): Promise<OidcUserInfo | undefined> {\n const configResponse = await fetch(configUrl)\n if (!configResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC discovery document: ${configResponse.status} ${configResponse.statusText}`\n )\n }\n\n const config = (await configResponse.json()) as {\n userinfo_endpoint?: string\n }\n if (!config.userinfo_endpoint) {\n return undefined\n }\n\n const userInfoResponse = await fetch(config.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${accessToken}` },\n })\n if (!userInfoResponse.ok) {\n throw new Error(\n `Failed to fetch OIDC userinfo: ${userInfoResponse.status} ${userInfoResponse.statusText}`\n )\n }\n\n return (await userInfoResponse.json()) as OidcUserInfo\n}\n\n/**\n * Determine if a given JWT is still valid based on its expiry time.\n *\n * @param token a base64 encoded JWT token\n * @returns true if the token is expired, false if not\n */\nexport function jwtExpired(token: string): boolean {\n try {\n const payload = decodeJwt(token)\n const now = Math.floor(Date.now() / 1000)\n return typeof payload.exp === 'number' && payload.exp <= now\n } catch {\n return true\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials, OIDCConfig } from './auth-service.js'\n\nexport class ClientCredentialsService {\n constructor(\n private configUrl: string,\n private logger: Logger | undefined\n ) {}\n\n /**\n * Fetches the JWT token (M2M) using client credentials.\n *\n * @returns The JWT access token as a string.\n * @throws If fetching the token fails or the response is invalid.\n */\n async fetchToken(credentials: ClientCredentials): Promise<string> {\n try {\n const oidcConfig = await this.getOIDCConfig(this.configUrl)\n this.logger?.debug({ oidcConfig }, 'Fetched OIDC config')\n\n const res: Response = await this.fetchTokenEndpoint(\n oidcConfig.token_endpoint,\n credentials\n )\n const json = await res.json()\n\n this.logger?.info(\n { response: json },\n `Fetched admin token for clientId: ${credentials.clientId}`\n )\n\n if (!json.access_token) {\n throw new Error('No access_token in token endpoint response')\n }\n\n return json.access_token\n } catch (error) {\n this.logger?.error({ err: error }, 'Failed to fetch admin token')\n throw error\n }\n }\n\n async fetchTokenEndpoint(\n tokenEndpoint: string,\n credentials: ClientCredentials\n ): Promise<Response> {\n const params = new URLSearchParams({\n grant_type: 'client_credentials',\n client_id: credentials.clientId,\n client_secret: credentials.clientSecret,\n scope: credentials.scope ?? '',\n audience: credentials.audience ?? '',\n })\n\n const res = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: params.toString(),\n })\n\n if (!res.ok) {\n this.logger?.error(\n { status: res.status, statusText: res.statusText },\n 'Token endpoint error'\n )\n throw new Error(\n `Token endpoint error: ${res.status} ${res.statusText}`\n )\n }\n\n return res\n }\n\n async getOIDCConfig(url: string): Promise<OIDCConfig> {\n const res = await fetch(url)\n if (!res.ok) {\n const text = await res.text()\n this.logger?.error(\n { status: res.status, statusText: res.statusText, body: text },\n 'Failed to fetch OIDC config'\n )\n throw new Error(\n `OIDC config error: ${res.status} ${res.statusText}`\n )\n }\n return res.json()\n }\n}\n\nexport const clientCredentialsService = (\n configUrl: string,\n logger: Logger | undefined\n) => ({\n fetchToken: async (credentials: ClientCredentials) =>\n new ClientCredentialsService(configUrl, logger).fetchToken(credentials),\n})\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport { ClientCredentials } from './auth-service.js'\nimport { SignJWT } from 'jose'\n\nexport class SelfSignedTokenService {\n static async fetchToken(\n logger: Logger,\n credentials: ClientCredentials,\n issuer: string,\n expirySeconds: number = 3600\n ): Promise<string> {\n const secret = new TextEncoder().encode(credentials.clientSecret)\n const now = Math.floor(Date.now() / 1000)\n const jwt = await new SignJWT({\n sub: credentials.clientId,\n aud: credentials.audience || '',\n scope: credentials.scope || '',\n iat: now,\n exp: now + expirySeconds,\n iss: issuer,\n })\n .setProtectedHeader({ alg: 'HS256' })\n .sign(secret)\n\n logger.info(`Generated self-signed JWT token: ${jwt}`)\n return jwt\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Logger } from '@canton-network/core-types'\nimport {\n AccessTokenProvider,\n AuthContext,\n ClientCredentials,\n} from './auth-service'\nimport { jwtExpired, jwtUserEmail, jwtUserId } from './auth-utils'\nimport { clientCredentialsService } from './client-credentials-service'\nimport { SelfSignedTokenService } from './self-signed-token-service'\nimport { Auth, Idp } from './config/schema'\n\nexport type TokenProviderConfig =\n | {\n method: 'static'\n token: string\n }\n | {\n method: 'self_signed'\n issuer: string\n credentials: ClientCredentials\n }\n | {\n method: 'client_credentials'\n configUrl: string\n credentials: ClientCredentials\n }\n\n/**\n * AuthTokenProvider provides some common functionality across token providers.\n *\n * 1. Token caching: tokens are cached in-memory, so long as the token lifespan is not expired.\n * 2. Context retrieval: deriving a user context from the stored access token.\n *\n *\n * The following programmatic methods of token fetching are supported:\n *\n * - `static`: a fixed, in-memory token. Only used for compatibility, it will totally break for expired tokens.\n * - `self_signed`: only for development purposes, used for Canton setups that accept HMAC256 self signed tokens.\n * - `client_credentials`: used to programmatically acquire tokens via oauth2, a.k.a \"machine-to-machine\" tokens.\n */\nexport class AuthTokenProvider implements AccessTokenProvider {\n private cachedToken: string | undefined\n\n constructor(\n protected readonly config: TokenProviderConfig,\n protected logger: Logger\n ) {}\n\n static fromToken(token: string, logger: Logger): AuthTokenProvider {\n return new AuthTokenProvider({ method: 'static', token }, logger)\n }\n\n static fromGatewayConfig(\n idp: Idp,\n auth: Auth,\n logger: Logger\n ): AuthTokenProvider {\n if (auth.method === 'self_signed') {\n return new AuthTokenProvider(\n {\n method: auth.method,\n issuer: auth.issuer,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n }\n\n if (auth.method === 'client_credentials') {\n if (idp.type === 'oauth')\n return new AuthTokenProvider(\n {\n method: auth.method,\n configUrl: idp.configUrl,\n credentials: {\n clientId: auth.clientId,\n clientSecret: auth.clientSecret,\n scope: auth.scope,\n audience: auth.audience,\n },\n },\n logger\n )\n else {\n throw new Error(\n `IDP type ${idp.type} not supported for client_credentials auth`\n )\n }\n }\n\n throw new Error(\n `Auth method ${auth.method} not supported for programmatic access token`\n )\n }\n\n private async _fetchToken(): Promise<string> {\n this.logger.debug('Fetching user auth token')\n\n switch (this.config.method) {\n case 'static':\n return this.config.token\n case 'self_signed':\n return SelfSignedTokenService.fetchToken(\n this.logger,\n this.config.credentials,\n this.config.issuer\n )\n case 'client_credentials':\n return clientCredentialsService(\n this.config.configUrl,\n this.logger\n ).fetchToken(this.config.credentials)\n }\n }\n\n /**\n *\n * @returns A valid JWT token retrieved according to the auth configuration given.\n */\n public async getAccessToken(): Promise<string> {\n if (this.cachedToken && !jwtExpired(this.cachedToken)) {\n return this.cachedToken\n } else {\n const newToken = await this._fetchToken()\n if (jwtExpired(newToken)) {\n throw new Error(\n 'Attempted to refresh a token, but it came back expired.'\n )\n }\n\n this.cachedToken = newToken\n return newToken\n }\n }\n\n /**\n *\n * @returns An AuthContext containing a valid token and userId.\n */\n public async getAuthContext(): Promise<AuthContext> {\n const accessToken = await this.getAccessToken()\n const userId = jwtUserId(accessToken)\n const email = jwtUserEmail(accessToken)\n\n return {\n accessToken,\n userId,\n ...(email ? { email } : {}),\n }\n }\n}\n","// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { z } from 'zod'\n\nconst authorizationCodeAuthSchema = z\n .object({\n method: z.literal('authorization_code'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n })\n .meta({\n description:\n 'Authorization code flow authentication configuration. This is used for browser-based application login.',\n })\n\nconst clientCredentialsAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst selfSignedAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecret: z.string(),\n})\n\nconst clientCredentialsEnvAuthSchema = z.object({\n method: z.literal('client_credentials'),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nconst selfSignedEnvAuthSchema = z.object({\n method: z.literal('self_signed'),\n issuer: z.string(),\n audience: z.string(),\n scope: z.string(),\n clientId: z.string(),\n clientSecretEnv: z.string(),\n})\n\nexport const authSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsAuthSchema,\n selfSignedAuthSchema,\n])\n\nexport const authFromEnvSchema = z.discriminatedUnion('method', [\n authorizationCodeAuthSchema,\n clientCredentialsEnvAuthSchema,\n selfSignedEnvAuthSchema,\n])\n\nexport type Auth = z.infer<typeof authSchema>\nexport type AuthFromEnv = z.infer<typeof authFromEnvSchema>\nexport type AuthorizationCodeAuth = z.infer<typeof authorizationCodeAuthSchema>\nexport type ClientCredentialsAuth = z.infer<typeof clientCredentialsAuthSchema>\nexport type SelfSignedAuth = z.infer<typeof selfSignedAuthSchema>\n\nexport const idpSchema = z.discriminatedUnion('type', [\n z.object({\n id: z.string(),\n type: z.literal('self_signed'),\n issuer: z.string(),\n }),\n z.object({\n id: z.string(),\n type: z.literal('oauth'),\n issuer: z.string(),\n configUrl: z.string().url(),\n }),\n])\n\nexport type Idp = z.infer<typeof idpSchema>\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@canton-network/core-wallet-auth",
3
- "version": "0.24.0",
3
+ "version": "0.24.2",
4
4
  "type": "module",
5
5
  "description": "Provides authentication middleware and user management for the Wallet Gateway",
6
6
  "license": "Apache-2.0",
@@ -36,8 +36,8 @@
36
36
  "typescript": "^5.9.3"
37
37
  },
38
38
  "dependencies": {
39
- "@canton-network/core-rpc-errors": "^0.19.0",
40
- "@canton-network/core-types": "^0.23.0",
39
+ "@canton-network/core-rpc-errors": "^0.19.2",
40
+ "@canton-network/core-types": "^0.23.2",
41
41
  "jose": "^6.1.3",
42
42
  "zod": "^4.3.6"
43
43
  },