@de-otio/trellis 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +6 -3
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-sessions.js","sourceRoot":"","sources":["../../../src/lib/routes/agent-sessions.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA6BH,kEAEC;AAED,sEAEC;AAjCD,kEAMoC;AACpC,6DAAyD;AACzD,wCAAkD;AAClD,gGAGmD;AACnD,iCAAwC;AACxC,8CAA+D;AAC/D,gEAA2D;AAC3D,0DAAsD;AACtD,qCAA8D;AAQ9D,IAAI,IAAI,GAAqB,EAAE,CAAC;AAEhC,SAAgB,2BAA2B,CAAC,CAAmB;IAC7D,IAAI,GAAG,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,6BAA6B;IAC3C,IAAI,GAAG,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,UAAU;IACjB,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;IACnF,MAAM,MAAM,GAAG,IAAI,gEAA6B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7D,OAAO;QACL,KAAK,CAAC,aAAa,CAAC,KAAK;YACvB,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,gEAA6B,CAAC;gBAChC,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,QAAQ,EAAE,KAAK,CAAC,eAAe;aAChC,CAAC,CACH,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ;IACf,OAAO,IAAI,CAAC,YAAY,IAAI,IAAI,wBAAiB,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,WAAW,CAAC,GAAuB;IAC1C,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,SAAS;QACjB,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,IAAI;QAClC,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,IAAI;QAC9B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACvD,UAAU,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACzD,MAAM,EAAE,GAAG,CAAC,MAAM;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAAG,qDAAqD,CAAC;AAE3D,QAAA,mBAAmB,GAAY;IAC1C;QACE,IAAI,EAAE,8BAA8B;QACpC,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,GAAG,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;YAEzC,MAAM,QAAQ,GAAG,MAAM,IAAA,qCAAiB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO,GAAG,CAAC,oBAAoB,CAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC,EACvD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,iDAAiD;KAC/D;IAED;QACE,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,GAAG,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;YAEzC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACjD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;oBAC1B,KAAK,EAAE,iBAAiB;oBACxB,OAAO,EAAE,yBAAyB;oBAClC,WAAW,EAAE,oDAAoD;iBAClE,EAAE,GAAG,CAAC,CAAC;YACV,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,IAAA,mCAAe,EAAC,SAAS,CAAC,CAAC;YACjD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC/C,2CAA2C;gBAC3C,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;oBAC1B,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,0BAA0B;oBACnC,WAAW,EAAE,8DAA8D;iBAC5E,EAAE,GAAG,CAAC,CAAC;YACV,CAAC;YAED,MAAM,UAAU,GAAG,GAAG,CAAC,oBAAoB,CAAC;YAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,GAAG,CAAC,oBAAoB,CAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAC3C,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;YACzB,mEAAmE;YACnE,MAAM,MAAM,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;YAEjC,MAAM,IAAA,sCAAkB,EAAC;gBACvB,SAAS;gBACT,UAAU;gBACV,eAAe,EAAE,OAAO,CAAC,UAAU;gBACnC,OAAO;gBACP,KAAK,EAAE;oBACL,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,KAAc,EAAE,MAAe,CAAC;iBACnE;gBACD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,WAAW,EAAE,IAAI,CAAC,MAAM;gBACxB,QAAQ,EAAE,IAAA,mCAAe,EAAC,OAAO,EAAE,GAAG,CAAC;aACxC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC,oBAAoB,CAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,EACrC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,yBAAyB;KACvC;CACF,CAAC"}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Agent-Surface Routes (T9b-a)
|
|
3
|
+
*
|
|
4
|
+
* Public, unauthenticated discovery endpoints for AI agents and tooling:
|
|
5
|
+
*
|
|
6
|
+
* GET /llms.txt — setup contract for AI agents (llmstxt.org convention)
|
|
7
|
+
* GET /openapi.json — OpenAPI 3.1 document auto-generated from route registry
|
|
8
|
+
* GET /security.txt — RFC 9116 security contact
|
|
9
|
+
*
|
|
10
|
+
* All three are rate-limited at the API Gateway / WAF layer (120 req/min per IP).
|
|
11
|
+
* No session required.
|
|
12
|
+
*/
|
|
13
|
+
import type { Route } from "./types";
|
|
14
|
+
/**
|
|
15
|
+
* Build the agent-surface routes, injecting the full route list so the
|
|
16
|
+
* OpenAPI generator can introspect the registry.
|
|
17
|
+
*
|
|
18
|
+
* Usage in routes/index.ts:
|
|
19
|
+
* import { buildAgentSurfaceRoutes } from "./agent-surface";
|
|
20
|
+
* // after all routes are collected:
|
|
21
|
+
* const agentSurface = buildAgentSurfaceRoutes(coreRoutes);
|
|
22
|
+
*
|
|
23
|
+
* Because we need the full route list for OpenAPI generation but the route
|
|
24
|
+
* list includes these routes themselves, we expose a plain `agentSurfaceRoutes`
|
|
25
|
+
* export that uses a deferred getter — the first HTTP request triggers
|
|
26
|
+
* generation using whatever has been registered by then.
|
|
27
|
+
*/
|
|
28
|
+
export declare function buildAgentSurfaceRoutes(getAllRoutes: () => Route[]): Route[];
|
|
29
|
+
/**
|
|
30
|
+
* Static export for the route registry.
|
|
31
|
+
*
|
|
32
|
+
* These routes have no dependency on the full route list (llms.txt and
|
|
33
|
+
* security.txt are static; openapi.json generates lazily on first request).
|
|
34
|
+
* Import and spread into coreRoutes in routes/index.ts.
|
|
35
|
+
*/
|
|
36
|
+
export declare const agentSurfaceRoutes: Route[];
|
|
37
|
+
//# sourceMappingURL=agent-surface.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-surface.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/agent-surface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAgHrC;;;;;;;;;;;;;GAaG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,KAAK,EAAE,GAAG,KAAK,EAAE,CAiE5E;AAED;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,KAAK,EAAsC,CAAC"}
|
|
@@ -0,0 +1,208 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Agent-Surface Routes (T9b-a)
|
|
4
|
+
*
|
|
5
|
+
* Public, unauthenticated discovery endpoints for AI agents and tooling:
|
|
6
|
+
*
|
|
7
|
+
* GET /llms.txt — setup contract for AI agents (llmstxt.org convention)
|
|
8
|
+
* GET /openapi.json — OpenAPI 3.1 document auto-generated from route registry
|
|
9
|
+
* GET /security.txt — RFC 9116 security contact
|
|
10
|
+
*
|
|
11
|
+
* All three are rate-limited at the API Gateway / WAF layer (120 req/min per IP).
|
|
12
|
+
* No session required.
|
|
13
|
+
*/
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.agentSurfaceRoutes = void 0;
|
|
16
|
+
exports.buildAgentSurfaceRoutes = buildAgentSurfaceRoutes;
|
|
17
|
+
const middleware_1 = require("../middleware");
|
|
18
|
+
const generator_1 = require("../openapi/generator");
|
|
19
|
+
// ── Constants ─────────────────────────────────────────────────────────────────
|
|
20
|
+
const SECURITY_CONTACT = "security@skybber.com";
|
|
21
|
+
const SECURITY_POLICY_URL = "https://skybber.com/security/policy";
|
|
22
|
+
const SECURITY_CANONICAL_URL = "https://api.skybber.com/security.txt";
|
|
23
|
+
// ── llms.txt content ──────────────────────────────────────────────────────────
|
|
24
|
+
const LLMS_TXT_CONTENT = `# Trellis / Skybber — Agent Setup Contract
|
|
25
|
+
|
|
26
|
+
> Skybber is a social platform for dog fans with a B2B multi-tenant identity
|
|
27
|
+
> federation layer. This file tells an AI agent everything it needs to drive
|
|
28
|
+
> tenant onboarding end-to-end.
|
|
29
|
+
|
|
30
|
+
## Persona scenario
|
|
31
|
+
|
|
32
|
+
An IT engineer at a customer org says: "Help me set up Skybber for my company."
|
|
33
|
+
The agent should be able to:
|
|
34
|
+
1. Discover what Skybber is and what setup involves (this file).
|
|
35
|
+
2. Ask the engineer for the few inputs only a human can supply (Entra admin
|
|
36
|
+
consent, role-mapping decisions).
|
|
37
|
+
3. Drive every other step via HTTP API or tools the agent already has
|
|
38
|
+
(Microsoft Graph, Route53/Cloudflare DNS, etc.).
|
|
39
|
+
4. Verify the result.
|
|
40
|
+
5. Hand the engineer back a working tenant with a one-paragraph summary.
|
|
41
|
+
|
|
42
|
+
## Authentication
|
|
43
|
+
|
|
44
|
+
Agents authenticate via OIDC — no static API tokens are issued.
|
|
45
|
+
Two flows are supported:
|
|
46
|
+
|
|
47
|
+
- **PKCE + localhost-listener** (interactive agent on engineer's machine):
|
|
48
|
+
Redirect to \`https://auth.skybber.com/oauth2/authorize\` with
|
|
49
|
+
\`response_type=code&client_id=skybber-agent-cli&code_challenge=...\`
|
|
50
|
+
and catch the code on \`http://127.0.0.1:{ephemeral-port}/cb\`.
|
|
51
|
+
|
|
52
|
+
- **Device authorization grant** (headless / CI agent):
|
|
53
|
+
POST /oauth2/device_authorization → get device_code + user_code →
|
|
54
|
+
engineer approves at https://app.skybber.com/agents/authorize →
|
|
55
|
+
agent polls POST /oauth2/token.
|
|
56
|
+
|
|
57
|
+
Tokens are short-lived (~1 h). Refresh tokens are single-use and rotated.
|
|
58
|
+
The engineer can revoke any agent session at any time via GET/POST
|
|
59
|
+
/api/users/me/agent-sessions.
|
|
60
|
+
|
|
61
|
+
## Key endpoints
|
|
62
|
+
|
|
63
|
+
| Endpoint | Method | Purpose |
|
|
64
|
+
|---|---|---|
|
|
65
|
+
| /api/tenants/{id}/setup-status | GET | Current onboarding progress + nextStep hint |
|
|
66
|
+
| /api/tenants/{id}/domains | POST | Add a domain for verification |
|
|
67
|
+
| /api/tenants/{id}/domains/{domainId}/verify | POST | Trigger DNS TXT check |
|
|
68
|
+
| /api/tenants/{id}/identity-provider | POST | Connect OIDC/SAML IdP |
|
|
69
|
+
| /api/tenants/{id}/identity-provider/test-sign-in | POST | Validate IdP round-trip |
|
|
70
|
+
| /api/tenants/{id}/role-mappings | POST | Map IdP group → Skybber role |
|
|
71
|
+
| /api/tenants/{id}/audit | GET | Audit log of tenant events |
|
|
72
|
+
| /api/auth/discover | POST | Pre-login: resolve email → IdP redirect or password |
|
|
73
|
+
| /openapi.json | GET | Full OpenAPI 3.1 spec (this server) |
|
|
74
|
+
| /.well-known/compliance.json | GET | Tenant compliance bundle |
|
|
75
|
+
|
|
76
|
+
## Error format
|
|
77
|
+
|
|
78
|
+
Every 4xx response from federation endpoints is JSON:
|
|
79
|
+
\`\`\`json
|
|
80
|
+
{
|
|
81
|
+
"error": "ERROR_CODE",
|
|
82
|
+
"message": "Human-readable description.",
|
|
83
|
+
"remediation": "Exact next step or 'ask the engineer X'.",
|
|
84
|
+
"field": "fieldName"
|
|
85
|
+
}
|
|
86
|
+
\`\`\`
|
|
87
|
+
|
|
88
|
+
## Idempotency
|
|
89
|
+
|
|
90
|
+
Every federation POST accepts an \`Idempotency-Key\` header. Same key + same
|
|
91
|
+
body within 24 h returns the original 2xx response without side-effects.
|
|
92
|
+
|
|
93
|
+
## Safety
|
|
94
|
+
|
|
95
|
+
- Client secrets are write-only. GET /api/tenants/{id}/identity-provider
|
|
96
|
+
returns \`null\` for \`clientSecret\`. Never echo secrets in conversation.
|
|
97
|
+
- Destructive operations require \`?confirm=true\`. A call without it returns
|
|
98
|
+
400 with a remediation explaining the risk.
|
|
99
|
+
- Agents should request minimal scopes: domain.*, idp.*, role_mapping.*.
|
|
100
|
+
|
|
101
|
+
## Further reading
|
|
102
|
+
|
|
103
|
+
- Full spec: GET /openapi.json
|
|
104
|
+
- Compliance bundle: GET /.well-known/compliance.json (per-tenant, auth required)
|
|
105
|
+
- Security contact: GET /security.txt
|
|
106
|
+
`;
|
|
107
|
+
// ── Route definitions ─────────────────────────────────────────────────────────
|
|
108
|
+
/**
|
|
109
|
+
* Build a lazy-caching OpenAPI JSON getter scoped to a specific route-list getter.
|
|
110
|
+
* The cache is per-getter closure so multiple `buildAgentSurfaceRoutes` calls
|
|
111
|
+
* (e.g. in tests) each get an independent cache.
|
|
112
|
+
*/
|
|
113
|
+
function makeOpenApiGetter(getAllRoutes) {
|
|
114
|
+
let cached = null;
|
|
115
|
+
return () => {
|
|
116
|
+
if (cached === null) {
|
|
117
|
+
const doc = (0, generator_1.generateOpenApiDoc)(getAllRoutes());
|
|
118
|
+
cached = JSON.stringify(doc, null, 2);
|
|
119
|
+
}
|
|
120
|
+
return cached;
|
|
121
|
+
};
|
|
122
|
+
}
|
|
123
|
+
/**
|
|
124
|
+
* Build the agent-surface routes, injecting the full route list so the
|
|
125
|
+
* OpenAPI generator can introspect the registry.
|
|
126
|
+
*
|
|
127
|
+
* Usage in routes/index.ts:
|
|
128
|
+
* import { buildAgentSurfaceRoutes } from "./agent-surface";
|
|
129
|
+
* // after all routes are collected:
|
|
130
|
+
* const agentSurface = buildAgentSurfaceRoutes(coreRoutes);
|
|
131
|
+
*
|
|
132
|
+
* Because we need the full route list for OpenAPI generation but the route
|
|
133
|
+
* list includes these routes themselves, we expose a plain `agentSurfaceRoutes`
|
|
134
|
+
* export that uses a deferred getter — the first HTTP request triggers
|
|
135
|
+
* generation using whatever has been registered by then.
|
|
136
|
+
*/
|
|
137
|
+
function buildAgentSurfaceRoutes(getAllRoutes) {
|
|
138
|
+
const getOpenApiJson = makeOpenApiGetter(getAllRoutes);
|
|
139
|
+
return [
|
|
140
|
+
// ── GET /llms.txt ────────────────────────────────────────────────────────
|
|
141
|
+
{
|
|
142
|
+
path: "/llms.txt",
|
|
143
|
+
method: "GET",
|
|
144
|
+
handler: async (_request, _env) => {
|
|
145
|
+
return new Response(LLMS_TXT_CONTENT, {
|
|
146
|
+
status: 200,
|
|
147
|
+
headers: {
|
|
148
|
+
"content-type": "text/plain; charset=utf-8",
|
|
149
|
+
"cache-control": "public, max-age=3600",
|
|
150
|
+
},
|
|
151
|
+
});
|
|
152
|
+
},
|
|
153
|
+
middleware: [(0, middleware_1.corsMiddleware)()],
|
|
154
|
+
description: "Agent setup contract (llmstxt.org convention)",
|
|
155
|
+
},
|
|
156
|
+
// ── GET /openapi.json ────────────────────────────────────────────────────
|
|
157
|
+
{
|
|
158
|
+
path: "/openapi.json",
|
|
159
|
+
method: "GET",
|
|
160
|
+
handler: async (_request, _env) => {
|
|
161
|
+
const json = getOpenApiJson();
|
|
162
|
+
return new Response(json, {
|
|
163
|
+
status: 200,
|
|
164
|
+
headers: {
|
|
165
|
+
"content-type": "application/json; charset=utf-8",
|
|
166
|
+
"cache-control": "public, max-age=300",
|
|
167
|
+
},
|
|
168
|
+
});
|
|
169
|
+
},
|
|
170
|
+
middleware: [(0, middleware_1.corsMiddleware)()],
|
|
171
|
+
description: "OpenAPI 3.1 document (auto-generated from route registry)",
|
|
172
|
+
},
|
|
173
|
+
// ── GET /security.txt ────────────────────────────────────────────────────
|
|
174
|
+
{
|
|
175
|
+
path: "/security.txt",
|
|
176
|
+
method: "GET",
|
|
177
|
+
handler: async (_request, _env) => {
|
|
178
|
+
const expires = new Date(Date.now() + 365 * 24 * 60 * 60 * 1000).toISOString();
|
|
179
|
+
const body = [
|
|
180
|
+
`Contact: mailto:${SECURITY_CONTACT}`,
|
|
181
|
+
`Expires: ${expires}`,
|
|
182
|
+
`Preferred-Languages: en`,
|
|
183
|
+
`Canonical: ${SECURITY_CANONICAL_URL}`,
|
|
184
|
+
`Policy: ${SECURITY_POLICY_URL}`,
|
|
185
|
+
"",
|
|
186
|
+
].join("\n");
|
|
187
|
+
return new Response(body, {
|
|
188
|
+
status: 200,
|
|
189
|
+
headers: {
|
|
190
|
+
"content-type": "text/plain; charset=utf-8",
|
|
191
|
+
"cache-control": "public, max-age=86400",
|
|
192
|
+
},
|
|
193
|
+
});
|
|
194
|
+
},
|
|
195
|
+
middleware: [(0, middleware_1.corsMiddleware)()],
|
|
196
|
+
description: "RFC 9116 security contact",
|
|
197
|
+
},
|
|
198
|
+
];
|
|
199
|
+
}
|
|
200
|
+
/**
|
|
201
|
+
* Static export for the route registry.
|
|
202
|
+
*
|
|
203
|
+
* These routes have no dependency on the full route list (llms.txt and
|
|
204
|
+
* security.txt are static; openapi.json generates lazily on first request).
|
|
205
|
+
* Import and spread into coreRoutes in routes/index.ts.
|
|
206
|
+
*/
|
|
207
|
+
exports.agentSurfaceRoutes = buildAgentSurfaceRoutes(() => []);
|
|
208
|
+
//# sourceMappingURL=agent-surface.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-surface.js","sourceRoot":"","sources":["../../../src/lib/routes/agent-surface.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAkIH,0DAiEC;AAjMD,8CAA+C;AAC/C,oDAA0D;AAG1D,iFAAiF;AAEjF,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAChD,MAAM,mBAAmB,GAAG,qCAAqC,CAAC;AAClE,MAAM,sBAAsB,GAAG,sCAAsC,CAAC;AAEtE,iFAAiF;AAEjF,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkFxB,CAAC;AAEF,iFAAiF;AAEjF;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,YAA2B;IACpD,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,OAAO,GAAG,EAAE;QACV,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,IAAA,8BAAkB,EAAC,YAAY,EAAE,CAAC,CAAC;YAC/C,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAgB,uBAAuB,CAAC,YAA2B;IACjE,MAAM,cAAc,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACvD,OAAO;QACL,4EAA4E;QAC5E;YACE,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;gBAChC,OAAO,IAAI,QAAQ,CAAC,gBAAgB,EAAE;oBACpC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,2BAA2B;wBAC3C,eAAe,EAAE,sBAAsB;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;YACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;YAC9B,WAAW,EAAE,+CAA+C;SAC7D;QAED,4EAA4E;QAC5E;YACE,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;gBAChC,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;gBAC9B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,iCAAiC;wBACjD,eAAe,EAAE,qBAAqB;qBACvC;iBACF,CAAC,CAAC;YACL,CAAC;YACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;YAC9B,WAAW,EAAE,2DAA2D;SACzE;QAED,4EAA4E;QAC5E;YACE,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;gBAChC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC/E,MAAM,IAAI,GAAG;oBACX,mBAAmB,gBAAgB,EAAE;oBACrC,YAAY,OAAO,EAAE;oBACrB,yBAAyB;oBACzB,cAAc,sBAAsB,EAAE;oBACtC,WAAW,mBAAmB,EAAE;oBAChC,EAAE;iBACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEb,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,2BAA2B;wBAC3C,eAAe,EAAE,uBAAuB;qBACzC;iBACF,CAAC,CAAC;YACL,CAAC;YACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;YAC9B,WAAW,EAAE,2BAA2B;SACzC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACU,QAAA,kBAAkB,GAAY,uBAAuB,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* POST /api/auth/discover
|
|
3
|
+
*
|
|
4
|
+
* Pre-login sign-in discovery. Accepts an email address and returns either:
|
|
5
|
+
* - { method: "idp", idpRedirect: "...", tenantSlug: "..." } — federated tenant
|
|
6
|
+
* - { method: "password" } — everything else
|
|
7
|
+
*
|
|
8
|
+
* Security properties:
|
|
9
|
+
* - No auth required (pre-login endpoint).
|
|
10
|
+
* - Never leaks whether a domain is claimed but with a disabled IdP.
|
|
11
|
+
* - Rate-limited 30 req/min per source IP (DynamoDB token bucket via RATE_LIMIT_KV).
|
|
12
|
+
* - Timing-safe: always performs the DB query; pads short-circuit paths to a
|
|
13
|
+
* fixed minimum elapsed time so response-time analysis cannot distinguish
|
|
14
|
+
* federated from non-federated domains.
|
|
15
|
+
*/
|
|
16
|
+
import type { Route } from "./types";
|
|
17
|
+
export declare const authDiscoverRoutes: Route[];
|
|
18
|
+
//# sourceMappingURL=auth-discover.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-discover.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/auth-discover.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAqJrC,eAAO,MAAM,kBAAkB,EAAE,KAAK,EAYrC,CAAC"}
|
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* POST /api/auth/discover
|
|
4
|
+
*
|
|
5
|
+
* Pre-login sign-in discovery. Accepts an email address and returns either:
|
|
6
|
+
* - { method: "idp", idpRedirect: "...", tenantSlug: "..." } — federated tenant
|
|
7
|
+
* - { method: "password" } — everything else
|
|
8
|
+
*
|
|
9
|
+
* Security properties:
|
|
10
|
+
* - No auth required (pre-login endpoint).
|
|
11
|
+
* - Never leaks whether a domain is claimed but with a disabled IdP.
|
|
12
|
+
* - Rate-limited 30 req/min per source IP (DynamoDB token bucket via RATE_LIMIT_KV).
|
|
13
|
+
* - Timing-safe: always performs the DB query; pads short-circuit paths to a
|
|
14
|
+
* fixed minimum elapsed time so response-time analysis cannot distinguish
|
|
15
|
+
* federated from non-federated domains.
|
|
16
|
+
*/
|
|
17
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
18
|
+
if (k2 === undefined) k2 = k;
|
|
19
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
20
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
21
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
22
|
+
}
|
|
23
|
+
Object.defineProperty(o, k2, desc);
|
|
24
|
+
}) : (function(o, m, k, k2) {
|
|
25
|
+
if (k2 === undefined) k2 = k;
|
|
26
|
+
o[k2] = m[k];
|
|
27
|
+
}));
|
|
28
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
29
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
30
|
+
}) : function(o, v) {
|
|
31
|
+
o["default"] = v;
|
|
32
|
+
});
|
|
33
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
34
|
+
var ownKeys = function(o) {
|
|
35
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
36
|
+
var ar = [];
|
|
37
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
38
|
+
return ar;
|
|
39
|
+
};
|
|
40
|
+
return ownKeys(o);
|
|
41
|
+
};
|
|
42
|
+
return function (mod) {
|
|
43
|
+
if (mod && mod.__esModule) return mod;
|
|
44
|
+
var result = {};
|
|
45
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
46
|
+
__setModuleDefault(result, mod);
|
|
47
|
+
return result;
|
|
48
|
+
};
|
|
49
|
+
})();
|
|
50
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
51
|
+
exports.authDiscoverRoutes = void 0;
|
|
52
|
+
const middleware_1 = require("../middleware");
|
|
53
|
+
const security_headers_1 = require("../security-headers");
|
|
54
|
+
const derive_domain_1 = require("../tenant/derive-domain");
|
|
55
|
+
const idp_redirect_builder_1 = require("../auth/idp-redirect-builder");
|
|
56
|
+
const idp_name_1 = require("../tenant/idp-name");
|
|
57
|
+
const rate_limit_1 = require("../rate-limit");
|
|
58
|
+
const errors_1 = require("./errors");
|
|
59
|
+
const RATE_LIMIT_PER_MIN = 30;
|
|
60
|
+
const WINDOW_SECONDS = 60;
|
|
61
|
+
const MIN_RESPONSE_MS = 80;
|
|
62
|
+
function passwordResponse() {
|
|
63
|
+
return new Response(JSON.stringify({ method: "password" }), { status: 200, headers: { "content-type": "application/json" } });
|
|
64
|
+
}
|
|
65
|
+
function tooManyRequests(retryAfter) {
|
|
66
|
+
const r = (0, errors_1.structuredError)(429, {
|
|
67
|
+
error: "RATE_LIMIT_EXCEEDED",
|
|
68
|
+
message: "Too many sign-in discovery requests. Please slow down.",
|
|
69
|
+
remediation: `Wait ${retryAfter} seconds before retrying.`,
|
|
70
|
+
});
|
|
71
|
+
// Attach Retry-After without re-constructing the body.
|
|
72
|
+
const headers = new Headers(r.headers);
|
|
73
|
+
headers.set("Retry-After", String(retryAfter));
|
|
74
|
+
return new Response(r.body, { status: 429, headers });
|
|
75
|
+
}
|
|
76
|
+
async function padToMinimum(startMs) {
|
|
77
|
+
const elapsed = Date.now() - startMs;
|
|
78
|
+
if (elapsed < MIN_RESPONSE_MS) {
|
|
79
|
+
await new Promise((resolve) => setTimeout(resolve, MIN_RESPONSE_MS - elapsed));
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
async function discoverHandler(request, env) {
|
|
83
|
+
const startMs = Date.now();
|
|
84
|
+
const rateLimiter = new rate_limit_1.RateLimiter();
|
|
85
|
+
const ip = request.headers.get("CF-Connecting-IP") ||
|
|
86
|
+
request.headers.get("X-Forwarded-For")?.split(",")[0]?.trim() ||
|
|
87
|
+
"unknown";
|
|
88
|
+
const rateLimitResult = await rateLimiter.checkRateLimitKV(env, request, "auth-discover", RATE_LIMIT_PER_MIN, WINDOW_SECONDS);
|
|
89
|
+
if (!rateLimitResult.allowed) {
|
|
90
|
+
const retryAfter = Math.ceil((rateLimitResult.resetAt - Date.now()) / 1000);
|
|
91
|
+
await padToMinimum(startMs);
|
|
92
|
+
return tooManyRequests(retryAfter);
|
|
93
|
+
}
|
|
94
|
+
let body;
|
|
95
|
+
try {
|
|
96
|
+
body = await request.json();
|
|
97
|
+
}
|
|
98
|
+
catch {
|
|
99
|
+
await padToMinimum(startMs);
|
|
100
|
+
return (0, errors_1.structuredError)(400, {
|
|
101
|
+
error: "INVALID_JSON",
|
|
102
|
+
message: "Request body must be valid JSON.",
|
|
103
|
+
remediation: "Ensure the request body is well-formed JSON with an 'email' field.",
|
|
104
|
+
});
|
|
105
|
+
}
|
|
106
|
+
const { z } = await Promise.resolve().then(() => __importStar(require("zod")));
|
|
107
|
+
const schema = z.object({ email: z.string() });
|
|
108
|
+
const parsed = schema.safeParse(body);
|
|
109
|
+
const emailDomain = parsed.success ? (0, derive_domain_1.deriveEmailDomain)(parsed.data.email) : null;
|
|
110
|
+
if (!emailDomain) {
|
|
111
|
+
await padToMinimum(startMs);
|
|
112
|
+
return (0, errors_1.structuredError)(400, {
|
|
113
|
+
error: "INVALID_EMAIL",
|
|
114
|
+
message: "A valid email address is required.",
|
|
115
|
+
remediation: "Provide a well-formed email address in the 'email' field.",
|
|
116
|
+
field: "email",
|
|
117
|
+
});
|
|
118
|
+
}
|
|
119
|
+
const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
|
|
120
|
+
const db = createPrisma(env);
|
|
121
|
+
try {
|
|
122
|
+
const row = await db.tenantDomain.findFirst({
|
|
123
|
+
where: {
|
|
124
|
+
domain: emailDomain,
|
|
125
|
+
verifiedAt: { not: null },
|
|
126
|
+
tenant: {
|
|
127
|
+
identityProvider: {
|
|
128
|
+
status: "ACTIVE",
|
|
129
|
+
},
|
|
130
|
+
},
|
|
131
|
+
},
|
|
132
|
+
select: {
|
|
133
|
+
tenant: {
|
|
134
|
+
select: {
|
|
135
|
+
id: true,
|
|
136
|
+
slug: true,
|
|
137
|
+
identityProvider: {
|
|
138
|
+
select: {
|
|
139
|
+
cognitoIdpName: true,
|
|
140
|
+
},
|
|
141
|
+
},
|
|
142
|
+
},
|
|
143
|
+
},
|
|
144
|
+
},
|
|
145
|
+
});
|
|
146
|
+
await padToMinimum(startMs);
|
|
147
|
+
if (!row?.tenant?.identityProvider) {
|
|
148
|
+
return passwordResponse();
|
|
149
|
+
}
|
|
150
|
+
const { tenant } = row;
|
|
151
|
+
const idpName = tenant.identityProvider.cognitoIdpName ?? (0, idp_name_1.cognitoIdpName)(tenant.id);
|
|
152
|
+
const config = (0, idp_redirect_builder_1.getIdpRedirectConfig)(env);
|
|
153
|
+
const idpRedirect = (0, idp_redirect_builder_1.buildIdpRedirectUrl)(config, {
|
|
154
|
+
cognitoIdpName: idpName,
|
|
155
|
+
tenantSlug: tenant.slug,
|
|
156
|
+
});
|
|
157
|
+
return new Response(JSON.stringify({ method: "idp", idpRedirect, tenantSlug: tenant.slug }), { status: 200, headers: { "content-type": "application/json" } });
|
|
158
|
+
}
|
|
159
|
+
catch (err) {
|
|
160
|
+
await padToMinimum(startMs);
|
|
161
|
+
throw err;
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
exports.authDiscoverRoutes = [
|
|
165
|
+
{
|
|
166
|
+
path: "/api/auth/discover",
|
|
167
|
+
method: "POST",
|
|
168
|
+
handler: async (request, env) => {
|
|
169
|
+
const securityHeaders = new security_headers_1.SecurityHeaders(env);
|
|
170
|
+
const response = await discoverHandler(request, env);
|
|
171
|
+
return securityHeaders.addSecurityHeaders(response);
|
|
172
|
+
},
|
|
173
|
+
middleware: [(0, middleware_1.corsMiddleware)()],
|
|
174
|
+
description: "Sign-in discovery: returns idp redirect or password fallback",
|
|
175
|
+
},
|
|
176
|
+
];
|
|
177
|
+
//# sourceMappingURL=auth-discover.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth-discover.js","sourceRoot":"","sources":["../../../src/lib/routes/auth-discover.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGH,8CAA+C;AAC/C,0DAAsD;AACtD,2DAA4D;AAC5D,uEAGsC;AACtC,iDAAoD;AACpD,8CAA4C;AAC5C,qCAA2C;AAG3C,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,cAAc,GAAG,EAAE,CAAC;AAC1B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,SAAS,gBAAgB;IACvB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,EACtC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,CAAC,GAAG,IAAA,wBAAe,EAAC,GAAG,EAAE;QAC7B,KAAK,EAAE,qBAAqB;QAC5B,OAAO,EAAE,wDAAwD;QACjE,WAAW,EAAE,QAAQ,UAAU,2BAA2B;KAC3D,CAAC,CAAC;IACH,uDAAuD;IACvD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IAC/C,OAAO,IAAI,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,OAAe;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;IACrC,IAAI,OAAO,GAAG,eAAe,EAAE,CAAC;QAC9B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC;IACvF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAAgB,EAAE,GAAQ;IACvD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,MAAM,WAAW,GAAG,IAAI,wBAAW,EAAE,CAAC;IACtC,MAAM,EAAE,GACN,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACvC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;QAC7D,SAAS,CAAC;IAEZ,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,gBAAgB,CACxD,GAAG,EACH,OAAO,EACP,eAAe,EACf,kBAAkB,EAClB,cAAc,CACf,CAAC;IAEF,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5E,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,eAAe,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;YAC1B,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,kCAAkC;YAC3C,WAAW,EAAE,oEAAoE;SAClF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,EAAE,CAAC,EAAE,GAAG,wDAAa,KAAK,GAAC,CAAC;IAClC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEtC,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAA,iCAAiB,EAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEjF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;YAC1B,KAAK,EAAE,eAAe;YACtB,OAAO,EAAE,oCAAoC;YAC7C,WAAW,EAAE,2DAA2D;YACxE,KAAK,EAAE,OAAO;SACf,CAAC,CAAC;IACL,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;IAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC;YAC1C,KAAK,EAAE;gBACL,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE;gBACzB,MAAM,EAAE;oBACN,gBAAgB,EAAE;wBAChB,MAAM,EAAE,QAAQ;qBACjB;iBACF;aACF;YACD,MAAM,EAAE;gBACN,MAAM,EAAE;oBACN,MAAM,EAAE;wBACN,EAAE,EAAE,IAAI;wBACR,IAAI,EAAE,IAAI;wBACV,gBAAgB,EAAE;4BAChB,MAAM,EAAE;gCACN,cAAc,EAAE,IAAI;6BACrB;yBACF;qBACF;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5B,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;YACnC,OAAO,gBAAgB,EAAE,CAAC;QAC5B,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;QACvB,MAAM,OAAO,GACX,MAAM,CAAC,gBAAiB,CAAC,cAAc,IAAI,IAAA,yBAAc,EAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,IAAA,2CAAoB,EAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,IAAA,0CAAmB,EAAC,MAAM,EAAE;YAC9C,cAAc,EAAE,OAAO;YACvB,UAAU,EAAE,MAAM,CAAC,IAAI;SACxB,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,EACvE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAEY,QAAA,kBAAkB,GAAY;IACzC;QACE,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACrD,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,8DAA8D;KAC5E;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"comments.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/comments.ts"],"names":[],"mappings":"AAAA;;GAEG;
|
|
1
|
+
{"version":3,"file":"comments.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/comments.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,eAAO,MAAM,cAAc,EAAE,KAAK,EA6ajC,CAAC"}
|
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.commentsRoutes = void 0;
|
|
7
7
|
const comment_handler_1 = require("../comment-handler");
|
|
8
|
+
const auth_middleware_1 = require("../auth/auth-middleware");
|
|
8
9
|
const logger_1 = require("../logger");
|
|
9
10
|
const middleware_1 = require("../middleware");
|
|
10
11
|
const schemas_1 = require("../schemas");
|
|
@@ -27,12 +28,16 @@ exports.commentsRoutes = [
|
|
|
27
28
|
if (!session) {
|
|
28
29
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
29
30
|
}
|
|
31
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
32
|
+
if (!auth || !auth.activeTenantId) {
|
|
33
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
34
|
+
}
|
|
30
35
|
try {
|
|
31
36
|
if (!requestContext) {
|
|
32
37
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
33
38
|
}
|
|
34
39
|
const postId = pathname.split("/api/posts/")[1].split("/comments")[0];
|
|
35
|
-
const response = await commentHandler.createComment(postId, request, session, env, requestContext);
|
|
40
|
+
const response = await commentHandler.createComment(postId, request, session, env, requestContext, auth.activeTenantId);
|
|
36
41
|
return securityHeaders.addSecurityHeaders(response);
|
|
37
42
|
}
|
|
38
43
|
catch (error) {
|
|
@@ -56,6 +61,10 @@ exports.commentsRoutes = [
|
|
|
56
61
|
if (!session) {
|
|
57
62
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
58
63
|
}
|
|
64
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
65
|
+
if (!auth || !auth.activeTenantId) {
|
|
66
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
67
|
+
}
|
|
59
68
|
try {
|
|
60
69
|
if (!requestContext) {
|
|
61
70
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
@@ -66,7 +75,7 @@ exports.commentsRoutes = [
|
|
|
66
75
|
return securityHeaders.addSecurityHeaders(queryValidation.error);
|
|
67
76
|
}
|
|
68
77
|
const { limit, cursor } = queryValidation.data;
|
|
69
|
-
const response = await commentHandler.getComments(postId, request, session, { limit, cursor }, env, requestContext);
|
|
78
|
+
const response = await commentHandler.getComments(postId, request, session, { limit, cursor }, env, requestContext, auth.activeTenantId);
|
|
70
79
|
return securityHeaders.addSecurityHeaders(response);
|
|
71
80
|
}
|
|
72
81
|
catch (error) {
|
|
@@ -90,12 +99,16 @@ exports.commentsRoutes = [
|
|
|
90
99
|
if (!session) {
|
|
91
100
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
92
101
|
}
|
|
102
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
103
|
+
if (!auth || !auth.activeTenantId) {
|
|
104
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
105
|
+
}
|
|
93
106
|
try {
|
|
94
107
|
if (!requestContext) {
|
|
95
108
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
96
109
|
}
|
|
97
110
|
const commentId = pathname.split("/api/comments/")[1].split("/hide")[0];
|
|
98
|
-
const response = await commentHandler.hideComment(commentId, request, session, env, requestContext);
|
|
111
|
+
const response = await commentHandler.hideComment(commentId, request, session, env, requestContext, auth.activeTenantId);
|
|
99
112
|
return securityHeaders.addSecurityHeaders(response);
|
|
100
113
|
}
|
|
101
114
|
catch (error) {
|
|
@@ -119,6 +132,10 @@ exports.commentsRoutes = [
|
|
|
119
132
|
if (!session) {
|
|
120
133
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
121
134
|
}
|
|
135
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
136
|
+
if (!auth || !auth.activeTenantId) {
|
|
137
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
138
|
+
}
|
|
122
139
|
try {
|
|
123
140
|
if (!requestContext) {
|
|
124
141
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
@@ -126,7 +143,7 @@ exports.commentsRoutes = [
|
|
|
126
143
|
const commentId = pathname
|
|
127
144
|
.split("/api/comments/")[1]
|
|
128
145
|
.split("/unhide")[0];
|
|
129
|
-
const response = await commentHandler.unhideComment(commentId, request, session, env, requestContext);
|
|
146
|
+
const response = await commentHandler.unhideComment(commentId, request, session, env, requestContext, auth.activeTenantId);
|
|
130
147
|
return securityHeaders.addSecurityHeaders(response);
|
|
131
148
|
}
|
|
132
149
|
catch (error) {
|
|
@@ -150,12 +167,16 @@ exports.commentsRoutes = [
|
|
|
150
167
|
if (!session) {
|
|
151
168
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
152
169
|
}
|
|
170
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
171
|
+
if (!auth || !auth.activeTenantId) {
|
|
172
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
173
|
+
}
|
|
153
174
|
try {
|
|
154
175
|
if (!requestContext) {
|
|
155
176
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
156
177
|
}
|
|
157
178
|
const commentId = pathname.split("/api/comments/")[1];
|
|
158
|
-
const response = await commentHandler.editComment(commentId, request, session, env, requestContext);
|
|
179
|
+
const response = await commentHandler.editComment(commentId, request, session, env, requestContext, auth.activeTenantId);
|
|
159
180
|
return securityHeaders.addSecurityHeaders(response);
|
|
160
181
|
}
|
|
161
182
|
catch (error) {
|
|
@@ -179,12 +200,16 @@ exports.commentsRoutes = [
|
|
|
179
200
|
if (!session) {
|
|
180
201
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
181
202
|
}
|
|
203
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
204
|
+
if (!auth || !auth.activeTenantId) {
|
|
205
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
206
|
+
}
|
|
182
207
|
try {
|
|
183
208
|
if (!requestContext) {
|
|
184
209
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
185
210
|
}
|
|
186
211
|
const commentId = pathname.split("/api/comments/")[1];
|
|
187
|
-
const response = await commentHandler.deleteComment(commentId, request, session, env, requestContext);
|
|
212
|
+
const response = await commentHandler.deleteComment(commentId, request, session, env, requestContext, auth.activeTenantId);
|
|
188
213
|
return securityHeaders.addSecurityHeaders(response);
|
|
189
214
|
}
|
|
190
215
|
catch (error) {
|
|
@@ -208,12 +233,16 @@ exports.commentsRoutes = [
|
|
|
208
233
|
if (!session) {
|
|
209
234
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
210
235
|
}
|
|
236
|
+
const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
|
|
237
|
+
if (!auth || !auth.activeTenantId) {
|
|
238
|
+
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
|
|
239
|
+
}
|
|
211
240
|
try {
|
|
212
241
|
if (!requestContext) {
|
|
213
242
|
return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
|
|
214
243
|
}
|
|
215
244
|
const parentCommentId = pathname.split("/api/comments/")[1].split("/replies")[0];
|
|
216
|
-
const response = await commentHandler.createReply(parentCommentId, request, session, env, requestContext);
|
|
245
|
+
const response = await commentHandler.createReply(parentCommentId, request, session, env, requestContext, auth.activeTenantId);
|
|
217
246
|
return securityHeaders.addSecurityHeaders(response);
|
|
218
247
|
}
|
|
219
248
|
catch (error) {
|