@crossauth/sveltekit 1.0.1 → 1.1.1

package/dist/sveltekitapikey.d.ts

@@ -1,6 +1,7 @@
-import { UserStorage, KeyStorage, ApiKeyManagerOptions } from '@crossauth/backend';
-import { RequestEvent, MaybePromise } from '@sveltejs/kit';
-
+import { UserStorage, KeyStorage } from '@crossauth/backend';
+import type { ApiKeyManagerOptions } from '@crossauth/backend';
+import type { RequestEvent } from '@sveltejs/kit';
+import { type MaybePromise } from './tests/sveltemocks';
 /**
  * Options for {@link SvelteKitApiKeyServer }.
  *

package/dist/sveltekitapikey.js

@@ -0,0 +1,81 @@
+// Copyright (c) 2026 Matthew Baker.  All rights reserved.  Licenced under the Apache Licence 2.0.  See LICENSE file
+import { ApiKeyManager, UserStorage, KeyStorage } from '@crossauth/backend';
+import { CrossauthLogger, j } from '@crossauth/common';
+import {} from './tests/sveltemocks';
+/**
+ * This class adds API key functionality to the Fatify server.
+ *
+ * You shouldn't have to instantiate this directly.  It is created
+ * when instantiating {@link SvelteKitServer} if enabling API key support-
+ *
+ * API keys are bearer tokens than have to be manually created for a user.
+ * They can be used in place of username/password login and session cookies.
+ *
+ * This class adds a `preHandler` hook that sets the `user` field in the
+ * SvelteKit request.  It also sets `scopes` in the request object if there
+ * is a `scope` field in the JSON object in the `data` field in in the API
+ * record in key storage.
+ */
+export class SvelteKitApiKeyServer {
+    userStorage;
+    apiKeyManager;
+    /**
+     * Hook to check if the user is logged in and set data in `locals`
+     * accordingly.
+     */
+    hook;
+    /**
+     * Constructor
+     *
+     * @param userStorage the user storage with user accounts
+     * @param keyStorage the storage for finding API keys
+     * @param options See {@link SvelteKitApiKeyServerOptions}
+     */
+    constructor(userStorage, keyStorage, options = {}) {
+        this.userStorage = userStorage;
+        this.apiKeyManager = new ApiKeyManager(keyStorage, options);
+        this.hook = async ({ event } /*, response*/) => {
+            CrossauthLogger.logger.debug("APIKey hook");
+            const authzHeader = event.request.headers.get("authorization");
+            if (authzHeader) {
+                try {
+                    CrossauthLogger.logger.debug(j({
+                        msg: "Received authorization header"
+                    }));
+                    const key = await this.apiKeyManager.validateToken(authzHeader);
+                    CrossauthLogger.logger.debug(j({
+                        msg: "Valid API key",
+                        hahedApiKey: ApiKeyManager.hashSignedApiKeyValue(key.value)
+                    }));
+                    const data = KeyStorage.decodeData(key.data);
+                    event.locals.apiKey = { ...key, ...data };
+                    if ("scope" in data && Array.isArray(data.scope)) {
+                        let scopes = [];
+                        for (let scope of data.scope) {
+                            if (typeof scope == "string")
+                                scopes.push(scope);
+                        }
+                        event.locals.scope = scopes;
+                    }
+                    if (key.userid) {
+                        try {
+                            const { user } = await this.userStorage.getUserById(key.userid);
+                            event.locals.user = user;
+                            event.locals.authType = "apiKey";
+                            CrossauthLogger.logger.debug(j({ msg: "API key is for user", userid: user.id, user: user.username, hahedApiKey: ApiKeyManager.hashSignedApiKeyValue(key.value) }));
+                        }
+                        catch (e2) {
+                            CrossauthLogger.logger.error(j({ msg: "API key has invalid user", userid: key.userid, hashedApiKey: ApiKeyManager.hashSignedApiKeyValue(key.value) }));
+                            CrossauthLogger.logger.debug(j({ err: e2 }));
+                        }
+                    }
+                }
+                catch (e) {
+                    CrossauthLogger.logger.error(j({ msg: "Invalid authorization header received", header: authzHeader }));
+                    CrossauthLogger.logger.debug(j({ err: e }));
+                }
+            }
+            ;
+        };
+    }
+}

package/dist/sveltekitoauthclient.d.ts

@@ -1,8 +1,10 @@
-import { CrossauthError, ErrorCode, OAuthTokenResponse, OAuthDeviceAuthorizationResponse, User } from '@crossauth/common';
-import { OAuthClientBackend, OAuthClientOptions } from '@crossauth/backend';
+import { CrossauthError, ErrorCode } from '@crossauth/common';
+import type { OAuthTokenResponse, OAuthDeviceAuthorizationResponse, User } from '@crossauth/common';
+import { OAuthClientBackend } from '@crossauth/backend';
+import type { OAuthClientOptions } from '@crossauth/backend';
 import { SvelteKitServer } from './sveltekitserver';
-import { RequestEvent, MaybePromise } from '@sveltejs/kit';
-
+import type { RequestEvent } from '@sveltejs/kit';
+import { type MaybePromise } from './tests/sveltemocks';
 export type SvelteKitErrorFn = (server: SvelteKitServer, event: RequestEvent, ce: CrossauthError) => Promise<Response>;
 /**
  * Options for {@link SvelteKitOAuthClient}.