@commercetools/connect-payments-sdk 0.0.3 → 0.0.4

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @commercetools/connect-payments-sdk
 
+## 0.0.4
+
+### Patch Changes
+
+- ab6200f: Support jwt, oauth2 authentication and support for authority based authorization
+
 ## 0.0.3
 
 ### Patch Changes

package/dist/api/handlers/config.handler.d.ts

@@ -1,4 +1,4 @@
 import { HandlerResponse } from './types/handler.type';
 export declare const configHandler: (options: {
     configuration: () => Promise<object> | object;
-}) => () => Promise<HandlerResponse>;
+}) => () => Promise<HandlerResponse<object>>;

package/dist/api/handlers/status.handler.d.ts

@@ -1,5 +1,12 @@
 import { CommercetoolsAuthorizationService } from '../../commercetools';
 import { HandlerResponse } from './types/handler.type';
+type HealthCheckStatus = {
+    status: 'OK' | 'Partially Available' | 'Unavailable';
+    timestamp: string;
+    checks: HealthCheckResult[];
+    version: string;
+    metadata?: object;
+};
 export type HealthCheckResult = {
     name: string;
     status: 'UP' | 'DOWN';
@@ -10,7 +17,7 @@ export declare const statusHandler: (options: {
     timeout: number;
     checks: HealthCheck[];
     metadataFn?: () => Promise<object> | object;
-}) => () => Promise<HandlerResponse>;
+}) => () => Promise<HandlerResponse<HealthCheckStatus>>;
 /**
  * Check if CoCo permissions are available
  * @param opts
@@ -21,3 +28,4 @@ export declare const healthCheckCommercetoolsPermissions: (opts: {
     projectKey: string;
     requiredPermissions: string[];
 }) => () => Promise<HealthCheckResult>;
+export {};

package/dist/api/handlers/types/handler.type.d.ts

@@ -1,5 +1,5 @@
-export type HandlerResponse = {
+export type HandlerResponse<T> = {
     status: number;
-    body?: object;
+    body: T;
     headers?: object;
 };

package/dist/api/hooks/jwt-auth.hook.d.ts

@@ -0,0 +1,16 @@
+/// <reference types="node" />
+import { IncomingHttpHeaders } from 'node:http';
+import { JWTAuthenticationManager } from '../../security/authn/jwt-authn-manager';
+import { ContextProvider, RequestContextData } from '../context/types/request-context.type';
+import { AuthenticationHook } from './types/hook.type';
+export declare class JWTAuthenticationHook implements AuthenticationHook {
+    private authenticationManager;
+    private contextProvider;
+    constructor(opts: {
+        authenticationManager: JWTAuthenticationManager;
+        contextProvider: ContextProvider<RequestContextData>;
+    });
+    authenticate(): (request: {
+        headers: IncomingHttpHeaders;
+    }) => Promise<void>;
+}

package/dist/api/hooks/jwt-auth.hook.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTAuthenticationHook = void 0;
+const security_1 = require("../../security");
+class JWTAuthenticationHook {
+    authenticationManager;
+    contextProvider;
+    constructor(opts) {
+        this.authenticationManager = opts.authenticationManager;
+        this.contextProvider = opts.contextProvider;
+    }
+    authenticate() {
+        return async (request) => {
+            const authorizationHeader = new security_1.HeaderBasedAuthentication(request.headers['authorization']);
+            const authn = await this.authenticationManager.authenticate(authorizationHeader);
+            this.contextProvider.updateContextData({
+                authentication: authn,
+            });
+        };
+    }
+}
+exports.JWTAuthenticationHook = JWTAuthenticationHook;

package/dist/api/hooks/oauth2-auth.hook.d.ts

@@ -0,0 +1,16 @@
+/// <reference types="node" />
+import { IncomingHttpHeaders } from 'node:http';
+import { Oauth2AuthenticationManager } from '../../security/authn/oauth2-authn-manager';
+import { ContextProvider, RequestContextData } from '../context/types/request-context.type';
+import { AuthenticationHook } from './types/hook.type';
+export declare class Oauth2AuthenticationHook implements AuthenticationHook {
+    private authenticationManager;
+    private contextProvider;
+    constructor(opts: {
+        authenticationManager: Oauth2AuthenticationManager;
+        contextProvider: ContextProvider<RequestContextData>;
+    });
+    authenticate(): (request: {
+        headers: IncomingHttpHeaders;
+    }) => Promise<void>;
+}

package/dist/api/hooks/oauth2-auth.hook.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Oauth2AuthenticationHook = void 0;
+const security_1 = require("../../security");
+class Oauth2AuthenticationHook {
+    authenticationManager;
+    contextProvider;
+    constructor(opts) {
+        this.authenticationManager = opts.authenticationManager;
+        this.contextProvider = opts.contextProvider;
+    }
+    authenticate() {
+        return async (request) => {
+            const authorizationHeader = new security_1.HeaderBasedAuthentication(request.headers['authorization']);
+            const authn = await this.authenticationManager.authenticate(authorizationHeader);
+            this.contextProvider.updateContextData({
+                authentication: authn,
+            });
+        };
+    }
+}
+exports.Oauth2AuthenticationHook = Oauth2AuthenticationHook;

package/dist/api/hooks/types/hook.type.d.ts

@@ -5,3 +5,6 @@ export interface AuthenticationHook {
         headers: IncomingHttpHeaders;
     }) => Promise<void>;
 }
+export interface AuthorizationHook {
+    authorize(...authorities: string[]): () => Promise<void>;
+}

package/dist/api/index.d.ts

@@ -2,5 +2,7 @@ export * from './context/request-context.provider';
 export * from './context/types/request-context.type';
 export * from './handlers/config.handler';
 export * from './handlers/status.handler';
+export * from './hooks/jwt-auth.hook';
+export * from './hooks/oauth2-auth.hook';
 export * from './hooks/session-auth.hook';
 export * from './hooks/types/hook.type';

package/dist/api/index.js

@@ -18,5 +18,7 @@ __exportStar(require("./context/request-context.provider"), exports);
 __exportStar(require("./context/types/request-context.type"), exports);
 __exportStar(require("./handlers/config.handler"), exports);
 __exportStar(require("./handlers/status.handler"), exports);
+__exportStar(require("./hooks/jwt-auth.hook"), exports);
+__exportStar(require("./hooks/oauth2-auth.hook"), exports);
 __exportStar(require("./hooks/session-auth.hook"), exports);
 __exportStar(require("./hooks/types/hook.type"), exports);

package/dist/errorx/errorx.d.ts

@@ -44,7 +44,7 @@ export declare class MultiErrorx extends Error {
  * }
  */
 export declare class ErrorAuthErrorResponse extends Errorx {
-    constructor(additionalOpts?: ErrorxAdditionalOpts);
+    constructor(message?: string, additionalOpts?: ErrorxAdditionalOpts, code?: string);
 }
 /**
  * General (https://docs.commercetools.com/api/errors#general)

package/dist/errorx/errorx.js

@@ -59,11 +59,11 @@ exports.MultiErrorx = MultiErrorx;
  * }
  */
 class ErrorAuthErrorResponse extends Errorx {
-    constructor(additionalOpts) {
+    constructor(message, additionalOpts, code) {
         super({
-            code: 'AuthErrorResponse',
+            code: code || 'invalid_token',
             httpErrorStatus: 401,
-            message: 'Authentication error.',
+            message: message || 'Authentication error.',
             ...additionalOpts,
         });
     }

package/dist/index.d.ts

@@ -1,8 +1,8 @@
-import { RequestContextData, RequestContextProvider, SessionAuthenticationHook } from './api';
+import { JWTAuthenticationHook, Oauth2AuthenticationHook, RequestContextData, RequestContextProvider, SessionAuthenticationHook } from './api';
 import { DefaultCommercetoolsAPI } from './commercetools/api/root-api';
+import { DefaultAuthorizationService } from './commercetools/services/ct-authorization.service';
 import { DefaultCartService } from './commercetools/services/ct-cart.service';
 import { DefaultPaymentService } from './commercetools/services/ct-payment.service';
-import { DefaultAuthorizationService } from './commercetools/services/ct-authorization.service';
 import { Logger } from './logger';
 export * from './api';
 export * from './commercetools';
@@ -13,9 +13,11 @@ export declare const setupPaymentSDK: (opts: {
     authUrl: string;
     apiUrl: string;
     sessionUrl: string;
+    jwksUrl: string;
     clientId: string;
     clientSecret: string;
     projectKey: string;
+    jwtIssuer: string;
     getContextFn: () => RequestContextData;
     updateContextFn: (ctx: Partial<RequestContextData>) => void;
     logger?: Logger | undefined;
@@ -26,4 +28,6 @@ export declare const setupPaymentSDK: (opts: {
     ctAuthorizationService: DefaultAuthorizationService;
     contextProvider: RequestContextProvider;
     sessionAuthHookFn: SessionAuthenticationHook;
+    jwtAuthHookFn: JWTAuthenticationHook;
+    oauth2AuthHookFn: Oauth2AuthenticationHook;
 };

package/dist/index.js

@@ -17,9 +17,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.setupPaymentSDK = void 0;
 const api_1 = require("./api");
 const root_api_1 = require("./commercetools/api/root-api");
+const ct_authorization_service_1 = require("./commercetools/services/ct-authorization.service");
 const ct_cart_service_1 = require("./commercetools/services/ct-cart.service");
 const ct_payment_service_1 = require("./commercetools/services/ct-payment.service");
-const ct_authorization_service_1 = require("./commercetools/services/ct-authorization.service");
 const ct_session_service_1 = require("./commercetools/services/ct-session.service");
 const base_decorator_1 = require("./fetch/decorators/base.decorator");
 const monitoring_decorator_1 = require("./fetch/decorators/monitoring.decorator");
@@ -57,13 +57,35 @@ const setupPaymentSDK = (opts) => {
         sessionUrl: opts.sessionUrl,
         projectKey: opts.projectKey,
     });
+    const oauth2Service = new security_1.DefaultOauth2Service();
+    const jwtService = new security_1.DefaultJWTService({
+        jwksUrl: opts.jwksUrl,
+    });
     const sessionAuthenticationManager = new security_1.SessionAuthenticationManager({
         sessionService,
     });
+    const oauth2AuthenticationManager = new security_1.Oauth2AuthenticationManager({
+        oauth2Service,
+        clientId: opts.clientId,
+        clientSecret: opts.clientSecret,
+        authUrl: opts.authUrl,
+    });
+    const jwtAuthenticationManager = new security_1.JWTAuthenticationManager({
+        jwtService,
+        iss: opts.jwtIssuer,
+    });
     const sessionAuthHookFn = new api_1.SessionAuthenticationHook({
         authenticationManager: sessionAuthenticationManager,
         contextProvider,
     });
+    const jwtAuthHookFn = new api_1.JWTAuthenticationHook({
+        authenticationManager: jwtAuthenticationManager,
+        contextProvider,
+    });
+    const oauth2AuthHookFn = new api_1.Oauth2AuthenticationHook({
+        authenticationManager: oauth2AuthenticationManager,
+        contextProvider,
+    });
     return {
         ctAPI,
         ctCartService,
@@ -71,6 +93,8 @@ const setupPaymentSDK = (opts) => {
         ctAuthorizationService,
         contextProvider,
         sessionAuthHookFn,
+        jwtAuthHookFn,
+        oauth2AuthHookFn,
     };
 };
 exports.setupPaymentSDK = setupPaymentSDK;

package/dist/security/authn/authns.d.ts

@@ -1,4 +1,4 @@
-import { Authentication, HeaderPrincipal, SessionPrincipal } from './types/authn.type';
+import { Authentication, HeaderPrincipal, JWTPrincipal, Oauth2Principal, SessionPrincipal } from './types/authn.type';
 export declare class SessionAuthentication implements Authentication<SessionPrincipal, string> {
     private principal;
     private authorities;
@@ -22,3 +22,28 @@ export declare class HeaderBasedAuthentication implements Authentication<HeaderP
     getPrincipal(): HeaderPrincipal;
     isAuthenticated(): boolean;
 }
+export declare class Oauth2Authentication implements Authentication<Oauth2Principal, string> {
+    private principal;
+    private authorities;
+    private authenticated;
+    private accessToken;
+    constructor(accessToken: string, principal: Oauth2Principal);
+    hasPrincipal(): boolean;
+    getAuthorities(): string[];
+    hasCredentials(): boolean;
+    getPrincipal(): Oauth2Principal;
+    getCredentials(): string;
+    isAuthenticated(): boolean;
+}
+export declare class JWTAuthentication implements Authentication<JWTPrincipal, string> {
+    private principal;
+    private authenticated;
+    private jwt;
+    constructor(jwt: string, principal: JWTPrincipal);
+    hasPrincipal(): boolean;
+    getAuthorities(): string[];
+    hasCredentials(): boolean;
+    getPrincipal(): JWTPrincipal;
+    getCredentials(): string;
+    isAuthenticated(): boolean;
+}

package/dist/security/authn/authns.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HeaderBasedAuthentication = exports.SessionAuthentication = void 0;
+exports.JWTAuthentication = exports.Oauth2Authentication = exports.HeaderBasedAuthentication = exports.SessionAuthentication = void 0;
 class SessionAuthentication {
     principal;
     authorities;
@@ -58,3 +58,66 @@ class HeaderBasedAuthentication {
     }
 }
 exports.HeaderBasedAuthentication = HeaderBasedAuthentication;
+class Oauth2Authentication {
+    principal;
+    authorities;
+    authenticated;
+    accessToken;
+    constructor(accessToken, principal) {
+        this.principal = principal;
+        this.authorities = principal.scope
+            .split(' ')
+            .map((scope) => scope.split(':')[0])
+            .filter((scope) => scope !== '');
+        this.authenticated = true;
+        this.accessToken = accessToken;
+    }
+    hasPrincipal() {
+        return this.getPrincipal() !== undefined;
+    }
+    getAuthorities() {
+        return this.authorities;
+    }
+    hasCredentials() {
+        return this.getCredentials() !== undefined;
+    }
+    getPrincipal() {
+        return this.principal;
+    }
+    getCredentials() {
+        return this.accessToken;
+    }
+    isAuthenticated() {
+        return this.authenticated;
+    }
+}
+exports.Oauth2Authentication = Oauth2Authentication;
+class JWTAuthentication {
+    principal;
+    authenticated;
+    jwt;
+    constructor(jwt, principal) {
+        this.principal = principal;
+        this.authenticated = true;
+        this.jwt = jwt;
+    }
+    hasPrincipal() {
+        return this.getPrincipal() !== undefined;
+    }
+    getAuthorities() {
+        return [];
+    }
+    hasCredentials() {
+        return this.getCredentials() !== undefined;
+    }
+    getPrincipal() {
+        return this.principal;
+    }
+    getCredentials() {
+        return this.jwt;
+    }
+    isAuthenticated() {
+        return this.authenticated;
+    }
+}
+exports.JWTAuthentication = JWTAuthentication;

package/dist/security/authn/bearer-utils.d.ts

@@ -0,0 +1 @@
+export declare const validateBearerAuthorization: (authorization: string | undefined) => string;

package/dist/security/authn/bearer-utils.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateBearerAuthorization = void 0;
+const errorx_1 = require("../../errorx");
+const validateBearerAuthorization = (authorization) => {
+    if (!authorization) {
+        throw new errorx_1.ErrorAuthErrorResponse('This endpoint requires the authorization header.', {
+            skipLog: true,
+        }, 'access_denied');
+    }
+    const authorizationParts = authorization.split(' ');
+    if (authorizationParts.length !== 2 || authorizationParts[0] !== 'Bearer') {
+        throw new errorx_1.ErrorAuthErrorResponse(`Authorization header must have the format 'Bearer <token>'`, {
+            skipLog: true,
+        }, 'invalid_request');
+    }
+    return authorizationParts[1];
+};
+exports.validateBearerAuthorization = validateBearerAuthorization;

package/dist/security/authn/jwt-authn-manager.d.ts

@@ -0,0 +1,12 @@
+import { JWTService } from '../services/types/jwt.type';
+import { HeaderBasedAuthentication, JWTAuthentication } from './authns';
+import { AuthenticationManager } from './types/authn.type';
+export declare class JWTAuthenticationManager implements AuthenticationManager {
+    private jwtService;
+    private iss;
+    constructor(opts: {
+        jwtService: JWTService;
+        iss: string;
+    });
+    authenticate(authentication: HeaderBasedAuthentication): Promise<JWTAuthentication>;
+}

package/dist/security/authn/jwt-authn-manager.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTAuthenticationManager = void 0;
+const errorx_1 = require("../../errorx");
+const authns_1 = require("./authns");
+const bearer_utils_1 = require("./bearer-utils");
+class JWTAuthenticationManager {
+    jwtService;
+    iss;
+    constructor(opts) {
+        this.jwtService = opts.jwtService;
+        this.iss = opts.iss;
+    }
+    async authenticate(authentication) {
+        const principal = authentication.getPrincipal();
+        const token = (0, bearer_utils_1.validateBearerAuthorization)(principal.authHeader);
+        const decodedToken = (await this.jwtService.verify({
+            token,
+        }));
+        if (decodedToken.iss !== this.iss) {
+            throw new errorx_1.ErrorAuthErrorResponse('Issuer in the token does not match the expected issuer', {
+                privateFields: {
+                    expectedIssuer: this.iss,
+                    actualIssuer: decodedToken['iss'],
+                },
+            });
+        }
+        return new authns_1.JWTAuthentication(token, {
+            mcCustomerId: decodedToken['sub'],
+        });
+    }
+}
+exports.JWTAuthenticationManager = JWTAuthenticationManager;

package/dist/security/authn/oauth2-authn-manager.d.ts

@@ -0,0 +1,17 @@
+import { Oauth2Service } from '../services/types/oauth2.type';
+import { HeaderBasedAuthentication, Oauth2Authentication } from './authns';
+import { AuthenticationManager } from './types/authn.type';
+export declare class Oauth2AuthenticationManager implements AuthenticationManager {
+    private oauth2Service;
+    private clientId;
+    private clientSecret;
+    private authUrl;
+    constructor(opts: {
+        oauth2Service: Oauth2Service;
+        clientId: string;
+        clientSecret: string;
+        authUrl: string;
+    });
+    authenticate(authentication: HeaderBasedAuthentication): Promise<Oauth2Authentication>;
+    private searchPermission;
+}

package/dist/security/authn/oauth2-authn-manager.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Oauth2AuthenticationManager = void 0;
+const errorx_1 = require("../../errorx");
+const authns_1 = require("./authns");
+const bearer_utils_1 = require("./bearer-utils");
+class Oauth2AuthenticationManager {
+    oauth2Service;
+    clientId;
+    clientSecret;
+    authUrl;
+    constructor(opts) {
+        this.oauth2Service = opts.oauth2Service;
+        this.clientId = opts.clientId;
+        this.clientSecret = opts.clientSecret;
+        this.authUrl = opts.authUrl;
+    }
+    async authenticate(authentication) {
+        const principal = authentication.getPrincipal();
+        const authorizationHeader = principal.authHeader;
+        const token = (0, bearer_utils_1.validateBearerAuthorization)(authorizationHeader);
+        const tokenIntrospectionResponseData = await this.oauth2Service.introspectToken({
+            url: `${this.authUrl}/oauth/introspect`,
+            clientId: this.clientId,
+            clientSecret: this.clientSecret,
+            token,
+        });
+        if (!tokenIntrospectionResponseData.active) {
+            throw new errorx_1.ErrorAuthErrorResponse('invalid_token', {
+                skipLog: true,
+            });
+        }
+        const scopes = tokenIntrospectionResponseData.scope?.split(' ') ?? null;
+        if (!scopes) {
+            throw new errorx_1.ErrorAuthErrorResponse('Token has no scopes.', {
+                skipLog: true,
+            });
+        }
+        // Search for customer_id:<customer> scope
+        const customerPermission = this.searchPermission(scopes, 'customer_id');
+        // Search for anonymous_id:<anonymous> scope
+        const anonymousPermission = this.searchPermission(scopes, 'anonymous_id');
+        return new authns_1.Oauth2Authentication(token, {
+            scope: tokenIntrospectionResponseData.scope,
+            clientId: tokenIntrospectionResponseData.client_id,
+            customerId: customerPermission?.principal,
+            anonymousId: anonymousPermission?.principal,
+        });
+    }
+    searchPermission(scopes, ...permissions) {
+        for (const permission of permissions) {
+            // Search for customer_id:<customer> scope
+            const permissionIndex = scopes.findIndex((element) => element.startsWith(`${permission}`));
+            if (permissionIndex >= 0) {
+                const splitPermission = scopes[permissionIndex].split(':');
+                return {
+                    permission: splitPermission[0],
+                    principal: splitPermission[1],
+                };
+            }
+        }
+        return undefined;
+    }
+}
+exports.Oauth2AuthenticationManager = Oauth2AuthenticationManager;

package/dist/security/authn/session-authn-manager.js

@@ -18,7 +18,7 @@ class SessionAuthenticationManager {
             });
         }
         catch (e) {
-            throw new errorx_1.ErrorAuthErrorResponse();
+            throw new errorx_1.ErrorAuthErrorResponse('Session is not active');
         }
     }
 }

package/dist/security/authn/types/authn.type.d.ts

@@ -9,10 +9,19 @@ export interface Authentication<Principal = unknown, Credentials = unknown> {
     getCredentials(): Credentials;
     isAuthenticated(): boolean;
 }
+export type HeaderPrincipal = {
+    authHeader: string;
+};
 export type SessionPrincipal = {
     cartId: string;
     allowedPaymentMethods: string[];
 };
-export type HeaderPrincipal = {
-    authHeader: string;
+export type Oauth2Principal = {
+    clientId: string;
+    scope: string;
+    customerId?: string;
+    anonymousId?: string;
+};
+export type JWTPrincipal = {
+    mcCustomerId?: string;
 };

package/dist/security/index.d.ts

@@ -1,3 +1,7 @@
-export * from './authn/types/authn.type';
 export * from './authn/authns';
+export * from './authn/jwt-authn-manager';
+export * from './authn/oauth2-authn-manager';
 export * from './authn/session-authn-manager';
+export * from './authn/types/authn.type';
+export * from './services/jwt.service';
+export * from './services/oauth2.service';

package/dist/security/index.js

@@ -14,6 +14,10 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./authn/types/authn.type"), exports);
 __exportStar(require("./authn/authns"), exports);
+__exportStar(require("./authn/jwt-authn-manager"), exports);
+__exportStar(require("./authn/oauth2-authn-manager"), exports);
 __exportStar(require("./authn/session-authn-manager"), exports);
+__exportStar(require("./authn/types/authn.type"), exports);
+__exportStar(require("./services/jwt.service"), exports);
+__exportStar(require("./services/oauth2.service"), exports);

package/dist/security/services/jwt.service.d.ts

@@ -0,0 +1,10 @@
+import { JWTService } from './types/jwt.type';
+export declare class DefaultJWTService implements JWTService {
+    private client;
+    constructor(opts: {
+        jwksUrl: string;
+    });
+    verify(opts: {
+        token: string | undefined;
+    }): Promise<unknown>;
+}

package/dist/security/services/jwt.service.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultJWTService = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const errorx_1 = require("../../errorx");
+class DefaultJWTService {
+    client;
+    constructor(opts) {
+        this.client = (0, jwks_rsa_1.default)({
+            jwksUri: opts.jwksUrl,
+        });
+    }
+    async verify(opts) {
+        const getKey = (header, callback) => {
+            this.client.getSigningKey(header.kid, function (err, key) {
+                if (err) {
+                    return callback(err);
+                }
+                const signingKey = key.getPublicKey();
+                callback(null, signingKey);
+            });
+        };
+        return new Promise((resolve, reject) => {
+            if (!opts.token) {
+                throw new errorx_1.ErrorAuthErrorResponse('Token is missing');
+            }
+            jsonwebtoken_1.default.verify(opts.token, getKey, {}, function (err, decoded) {
+                if (err) {
+                    return reject(new errorx_1.ErrorAuthErrorResponse(err.message, { privateMessage: err.message, cause: err }));
+                }
+                return resolve(decoded);
+            });
+        });
+    }
+}
+exports.DefaultJWTService = DefaultJWTService;

package/dist/security/services/oauth2.service.d.ts

@@ -0,0 +1,9 @@
+import { Oauth2Service, TokenInfo } from './types/oauth2.type';
+export declare class DefaultOauth2Service implements Oauth2Service {
+    introspectToken(opts: {
+        url: string;
+        clientId: string;
+        clientSecret: string;
+        token: string;
+    }): Promise<TokenInfo>;
+}

package/dist/security/services/oauth2.service.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultOauth2Service = void 0;
+const errorx_1 = require("../../errorx");
+class DefaultOauth2Service {
+    async introspectToken(opts) {
+        const urlencoded = new URLSearchParams();
+        urlencoded.append('token', opts.token);
+        const tokenResponse = await fetch(opts.url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Authorization: `Basic ${btoa(opts.clientId + ':' + opts.clientSecret)}`,
+            },
+            body: urlencoded,
+        });
+        if (tokenResponse.status > 299) {
+            if (tokenResponse.status === 401) {
+                const tokenResponseJson = (await tokenResponse.json());
+                throw new errorx_1.ErrorAuthErrorResponse(tokenResponseJson.message, {
+                    privateFields: {
+                        clientId: opts.clientId,
+                        status: tokenResponse.status,
+                    },
+                    skipLog: true,
+                }, tokenResponseJson.error);
+            }
+            throw new errorx_1.ErrorGeneral('Failed to authorize request.', {
+                privateMessage: 'some error happened while requesting token from coco',
+                privateFields: {
+                    clientId: opts.clientId,
+                    status: tokenResponse.status,
+                },
+                skipLog: true,
+            });
+        }
+        return (await tokenResponse.json());
+    }
+}
+exports.DefaultOauth2Service = DefaultOauth2Service;

package/dist/security/services/types/jwt.type.d.ts

@@ -0,0 +1,5 @@
+export interface JWTService {
+    verify(opts: {
+        token: string | undefined;
+    }): Promise<unknown>;
+}

package/dist/security/services/types/jwt.type.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/security/services/types/oauth2.type.d.ts

@@ -0,0 +1,14 @@
+export type TokenInfo = {
+    active: boolean;
+    scope: string;
+    exp: number;
+    client_id: string;
+};
+export interface Oauth2Service {
+    introspectToken(opts: {
+        url: string;
+        clientId: string;
+        clientSecret: string;
+        token: string;
+    }): Promise<TokenInfo>;
+}

package/dist/security/services/types/oauth2.type.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commercetools/connect-payments-sdk",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "Payment SDK for commercetools payment connectors",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -16,6 +16,8 @@
   "license": "ISC",
   "dependencies": {
     "@commercetools/platform-sdk": "7.2.0-alpha.4",
-    "@commercetools/sdk-client-v2": "2.3.0"
+    "@commercetools/sdk-client-v2": "2.3.0",
+    "jsonwebtoken": "9.0.2",
+    "jwks-rsa": "3.1.0"
   }
 }

package/.github/workflows/ci.yml

@@ -1,34 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches: [ main ]
-
-jobs:
-  ci:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-
-      - name: Install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 20
-
-      - name: Install dependencies
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8
-          run_install: |
-            - recursive: true
-              args: [--frozen-lockfile, --strict-peer-dependencies]
-
-      - name: Build
-        run: pnpm run build
-
-      - name: Static code analysis
-        run: pnpm run lint
-
-      - name: Tests
-        run: pnpm run test

package/.github/workflows/release.yml

@@ -1,46 +0,0 @@
-name: Release
-
-on:
-  push:
-    branches: [ main ]
-
-jobs:
-  publish-gpr:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-
-      - name: Install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 20
-
-      - name: Install dependencies
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8
-          run_install: |
-            - recursive: true
-              args: [--frozen-lockfile, --strict-peer-dependencies]
-
-      - name: Static code analysis
-        run: pnpm run lint
-
-      - name: Tests
-        run: pnpm run test
-
-      - name: Create Release Pull Request or Publish to npm
-        id: changesets
-        uses: changesets/action@v1
-        with:
-          # This expects you to have a script called release which does a build for your packages and calls changeset publish
-          publish: pnpm run release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      
-      - name: Create release
-        if: steps.changesets.outputs.published == 'true'
-        # You can do something when a publish happens.
-        run: VERSION=$(jq '.version' package.json -r);gh release create "$VERSION" --title "$VERSION [@commercetools/connect-payments-sdk]" --notes 'Check CHANGELOG.md file.'