@de-otio/trellis 0.6.1 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +7 -5
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -0,0 +1,48 @@
1
+ "use strict";
2
+ /**
3
+ * Builds the Cognito Hosted UI OAuth2 authorization URL for federated sign-in.
4
+ *
5
+ * The IdP name in Cognito follows the convention `tenant-{cuid}` (using the
6
+ * full tenant cuid, truncated to 25 chars to fit Cognito's 32-char provider-
7
+ * name quota). Sign-in discovery routes by the same convention, so the value
8
+ * passed in is what T5 provisioned.
9
+ *
10
+ * All URL parameters are server-derived; callers supply only the Prisma-loaded
11
+ * cognitoIdpName — no arbitrary IdP names accepted from request input.
12
+ */
13
+ Object.defineProperty(exports, "__esModule", { value: true });
14
+ exports.cognitoIdpName = void 0;
15
+ exports.buildIdpRedirectUrl = buildIdpRedirectUrl;
16
+ exports.getIdpRedirectConfig = getIdpRedirectConfig;
17
+ var idp_name_1 = require("../tenant/idp-name");
18
+ Object.defineProperty(exports, "cognitoIdpName", { enumerable: true, get: function () { return idp_name_1.cognitoIdpName; } });
19
+ /**
20
+ * Builds the Cognito Hosted UI authorization URL.
21
+ *
22
+ * Scope is always `openid email profile` — no caller-supplied scope to prevent
23
+ * privilege escalation via scope injection.
24
+ */
25
+ function buildIdpRedirectUrl(config, params) {
26
+ const base = `https://${config.hostedUiDomain}/oauth2/authorize`;
27
+ const qs = new URLSearchParams({
28
+ identity_provider: params.cognitoIdpName,
29
+ client_id: config.clientId,
30
+ redirect_uri: config.redirectUri,
31
+ response_type: "code",
32
+ scope: "openid email profile",
33
+ });
34
+ return `${base}?${qs.toString()}`;
35
+ }
36
+ /**
37
+ * Reads IdP redirect config from the environment.
38
+ * Env vars read here are defined in src/env.ts and must come from there —
39
+ * no direct process.env access outside buildEnv().
40
+ */
41
+ function getIdpRedirectConfig(env) {
42
+ return {
43
+ hostedUiDomain: env.COGNITO_HOSTED_UI_DOMAIN ?? "auth.skybber.com",
44
+ clientId: env.COGNITO_APP_CLIENT_ID ?? "",
45
+ redirectUri: env.COGNITO_REDIRECT_URI ?? "",
46
+ };
47
+ }
48
+ //# sourceMappingURL=idp-redirect-builder.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"idp-redirect-builder.js","sourceRoot":"","sources":["../../../src/lib/auth/idp-redirect-builder.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AA0BH,kDAaC;AAOD,oDAUC;AAtDD,+CAAoD;AAA3C,0GAAA,cAAc,OAAA;AAkBvB;;;;;GAKG;AACH,SAAgB,mBAAmB,CACjC,MAAyB,EACzB,MAAyB;IAEzB,MAAM,IAAI,GAAG,WAAW,MAAM,CAAC,cAAc,mBAAmB,CAAC;IACjE,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC;QAC7B,iBAAiB,EAAE,MAAM,CAAC,cAAc;QACxC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,sBAAsB;KAC9B,CAAC,CAAC;IACH,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;AACpC,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,GAIpC;IACC,OAAO;QACL,cAAc,EAAE,GAAG,CAAC,wBAAwB,IAAI,kBAAkB;QAClE,QAAQ,EAAE,GAAG,CAAC,qBAAqB,IAAI,EAAE;QACzC,WAAW,EAAE,GAAG,CAAC,oBAAoB,IAAI,EAAE;KAC5C,CAAC;AACJ,CAAC"}
@@ -0,0 +1,51 @@
1
+ /**
2
+ * Authorization helpers — role and capability gating.
3
+ *
4
+ * Layers:
5
+ * 1. `requireRole` — coarse role-rank check (legacy; T3 uses it).
6
+ * 2. `requireCapability(cap)` — full capability matrix + resource scoping.
7
+ *
8
+ * SUPER_ADMIN bypasses every check (platform-wide override).
9
+ */
10
+ import type { TenantRole } from "@prisma/client";
11
+ import type { AuthContext } from "./auth-context";
12
+ import { type CapabilityValue } from "./capabilities";
13
+ export { Capability, type CapabilityValue } from "./capabilities";
14
+ export { RoleGrants } from "./role-grants";
15
+ /**
16
+ * Returns a 403 Response if the caller's tenant role is below `minRole`,
17
+ * or null if the check passes. SUPER_ADMIN bypasses.
18
+ */
19
+ export declare function requireRole(auth: AuthContext, minRole: TenantRole): Response | null;
20
+ /**
21
+ * Resource carrier for capability-scoped checks.
22
+ *
23
+ * `authorId` and `ownerUserId` are the two ownership signals we recognise:
24
+ * - `authorId` for posts/comments
25
+ * - `ownerUserId` for entities (via EntityOwnership)
26
+ *
27
+ * Either one matching `auth.userId` is sufficient for own-only verbs.
28
+ */
29
+ export interface CapabilityResource {
30
+ authorId?: string | null;
31
+ ownerUserId?: string | null;
32
+ }
33
+ export interface RequireCapabilityOptions {
34
+ /** Resource being acted on; required for own-only capabilities. */
35
+ resource?: CapabilityResource;
36
+ }
37
+ /**
38
+ * Returns a 403 Response if the caller lacks `cap`, null on success.
39
+ *
40
+ * SUPER_ADMIN bypasses every check.
41
+ *
42
+ * For own-only capabilities (PostUpdate, PostDelete, EntityUpdate, EntityDelete):
43
+ * 1. The role must hold the base capability.
44
+ * 2. AND the resource must be owned by the caller, UNLESS the role also
45
+ * holds the matching cross-user moderation capability (PostModerate).
46
+ *
47
+ * If `options.resource` is omitted for an own-only capability, the check is
48
+ * lenient (caps-only) — callers that load the resource must pass it through.
49
+ */
50
+ export declare function requireCapability(auth: AuthContext, cap: CapabilityValue, options?: RequireCapabilityOptions): Response | null;
51
+ //# sourceMappingURL=require.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"require.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/require.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAY,MAAM,gBAAgB,CAAC;AAC3D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGlE,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAoB3C;;;GAGG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,WAAW,EACjB,OAAO,EAAE,UAAU,GAClB,QAAQ,GAAG,IAAI,CAIjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,wBAAwB;IACvC,mEAAmE;IACnE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AA6BD;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,eAAe,EACpB,OAAO,GAAE,wBAA6B,GACrC,QAAQ,GAAG,IAAI,CAcjB"}
@@ -0,0 +1,99 @@
1
+ "use strict";
2
+ /**
3
+ * Authorization helpers — role and capability gating.
4
+ *
5
+ * Layers:
6
+ * 1. `requireRole` — coarse role-rank check (legacy; T3 uses it).
7
+ * 2. `requireCapability(cap)` — full capability matrix + resource scoping.
8
+ *
9
+ * SUPER_ADMIN bypasses every check (platform-wide override).
10
+ */
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.RoleGrants = exports.Capability = void 0;
13
+ exports.requireRole = requireRole;
14
+ exports.requireCapability = requireCapability;
15
+ const capabilities_1 = require("./capabilities");
16
+ const role_grants_1 = require("./role-grants");
17
+ var capabilities_2 = require("./capabilities");
18
+ Object.defineProperty(exports, "Capability", { enumerable: true, get: function () { return capabilities_2.Capability; } });
19
+ var role_grants_2 = require("./role-grants");
20
+ Object.defineProperty(exports, "RoleGrants", { enumerable: true, get: function () { return role_grants_2.RoleGrants; } });
21
+ const ROLE_RANK = {
22
+ OWNER: 4,
23
+ ADMIN: 3,
24
+ MEMBER: 2,
25
+ GUEST: 1,
26
+ };
27
+ function isSuperAdmin(auth) {
28
+ return auth.globalRole === "SUPER_ADMIN";
29
+ }
30
+ function forbidden(message) {
31
+ return new Response(JSON.stringify({ error: "FORBIDDEN", message }), { status: 403, headers: { "content-type": "application/json" } });
32
+ }
33
+ /**
34
+ * Returns a 403 Response if the caller's tenant role is below `minRole`,
35
+ * or null if the check passes. SUPER_ADMIN bypasses.
36
+ */
37
+ function requireRole(auth, minRole) {
38
+ if (isSuperAdmin(auth))
39
+ return null;
40
+ if (ROLE_RANK[auth.tenantRole] >= ROLE_RANK[minRole])
41
+ return null;
42
+ return forbidden(`Requires tenant role ${minRole} or higher`);
43
+ }
44
+ /**
45
+ * Resource-scoped capabilities — own-only by default, granted to all if the
46
+ * caller also holds the matching `*.moderate` capability.
47
+ *
48
+ * Per design (05-roles-and-permissions.md):
49
+ * - `post.update` / `post.delete`: own posts; `post.moderate` is the cross-user variant.
50
+ * - `entity.update` / `entity.delete`: own entities (via EntityOwnership);
51
+ * ADMIN/OWNER hold these unconditionally because they also hold `post.moderate`
52
+ * (cross-user takedown). MEMBER must own the entity.
53
+ */
54
+ const OWN_ONLY_FALLBACK = {
55
+ [capabilities_1.Capability.PostUpdate]: capabilities_1.Capability.PostModerate,
56
+ [capabilities_1.Capability.PostDelete]: capabilities_1.Capability.PostModerate,
57
+ [capabilities_1.Capability.EntityUpdate]: capabilities_1.Capability.PostModerate,
58
+ [capabilities_1.Capability.EntityDelete]: capabilities_1.Capability.PostModerate,
59
+ };
60
+ function isOwnedBy(resource, userId) {
61
+ if (!resource)
62
+ return false;
63
+ if (resource.authorId && resource.authorId === userId)
64
+ return true;
65
+ if (resource.ownerUserId && resource.ownerUserId === userId)
66
+ return true;
67
+ return false;
68
+ }
69
+ /**
70
+ * Returns a 403 Response if the caller lacks `cap`, null on success.
71
+ *
72
+ * SUPER_ADMIN bypasses every check.
73
+ *
74
+ * For own-only capabilities (PostUpdate, PostDelete, EntityUpdate, EntityDelete):
75
+ * 1. The role must hold the base capability.
76
+ * 2. AND the resource must be owned by the caller, UNLESS the role also
77
+ * holds the matching cross-user moderation capability (PostModerate).
78
+ *
79
+ * If `options.resource` is omitted for an own-only capability, the check is
80
+ * lenient (caps-only) — callers that load the resource must pass it through.
81
+ */
82
+ function requireCapability(auth, cap, options = {}) {
83
+ if (isSuperAdmin(auth))
84
+ return null;
85
+ const grants = role_grants_1.RoleGrants[auth.tenantRole];
86
+ if (!grants.has(cap))
87
+ return forbidden(`Requires capability ${cap}`);
88
+ const moderationCap = OWN_ONLY_FALLBACK[cap];
89
+ if (!moderationCap)
90
+ return null;
91
+ if (grants.has(moderationCap))
92
+ return null;
93
+ if (options.resource === undefined)
94
+ return null;
95
+ if (isOwnedBy(options.resource, auth.userId))
96
+ return null;
97
+ return forbidden(`Requires ownership or ${moderationCap}`);
98
+ }
99
+ //# sourceMappingURL=require.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"require.js","sourceRoot":"","sources":["../../../src/lib/auth/require.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAgCH,kCAOC;AA6DD,8CAkBC;AAlHD,iDAAkE;AAClE,+CAA2C;AAE3C,+CAAkE;AAAzD,0GAAA,UAAU,OAAA;AACnB,6CAA2C;AAAlC,yGAAA,UAAU,OAAA;AAEnB,MAAM,SAAS,GAA+B;IAC5C,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,SAAS,YAAY,CAAC,IAAiB;IACrC,OAAO,IAAI,CAAC,UAAU,KAAM,aAA0B,CAAC;AACzD,CAAC;AAED,SAAS,SAAS,CAAC,OAAe;IAChC,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,EAC/C,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,WAAW,CACzB,IAAiB,EACjB,OAAmB;IAEnB,IAAI,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,OAAO,SAAS,CAAC,wBAAwB,OAAO,YAAY,CAAC,CAAC;AAChE,CAAC;AAqBD;;;;;;;;;GASG;AACH,MAAM,iBAAiB,GAAsD;IAC3E,CAAC,yBAAU,CAAC,UAAU,CAAC,EAAE,yBAAU,CAAC,YAAY;IAChD,CAAC,yBAAU,CAAC,UAAU,CAAC,EAAE,yBAAU,CAAC,YAAY;IAChD,CAAC,yBAAU,CAAC,YAAY,CAAC,EAAE,yBAAU,CAAC,YAAY;IAClD,CAAC,yBAAU,CAAC,YAAY,CAAC,EAAE,yBAAU,CAAC,YAAY;CACnD,CAAC;AAEF,SAAS,SAAS,CAChB,QAAwC,EACxC,MAAc;IAEd,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACzE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,iBAAiB,CAC/B,IAAiB,EACjB,GAAoB,EACpB,UAAoC,EAAE;IAEtC,IAAI,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,MAAM,GAAG,wBAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;IAErE,MAAM,aAAa,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEhC,IAAI,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,OAAO,SAAS,CAAC,yBAAyB,aAAa,EAAE,CAAC,CAAC;AAC7D,CAAC"}
@@ -0,0 +1,18 @@
1
+ /**
2
+ * Static default capability grants per `TenantRole`.
3
+ *
4
+ * The four canonical roles are:
5
+ * GUEST — read-only on public surfaces.
6
+ * MEMBER — can post, update/delete own posts, manage own entities.
7
+ * ADMIN — manage tenant config, members, IdPs, domains, role mappings.
8
+ * OWNER — superset of ADMIN plus tenant.delete and tenant.suspend.
9
+ *
10
+ * Custom roles or per-tenant overrides are out of scope for MVP.
11
+ *
12
+ * Hierarchy invariant (asserted in tests):
13
+ * GUEST ⊂ MEMBER ⊂ ADMIN ⊂ OWNER.
14
+ */
15
+ import type { TenantRole } from "@prisma/client";
16
+ import { type CapabilityValue } from "./capabilities";
17
+ export declare const RoleGrants: Record<TenantRole, ReadonlySet<CapabilityValue>>;
18
+ //# sourceMappingURL=role-grants.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"role-grants.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/role-grants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AA2ClE,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,eAAe,CAAC,CAKvE,CAAC"}
@@ -0,0 +1,62 @@
1
+ "use strict";
2
+ /**
3
+ * Static default capability grants per `TenantRole`.
4
+ *
5
+ * The four canonical roles are:
6
+ * GUEST — read-only on public surfaces.
7
+ * MEMBER — can post, update/delete own posts, manage own entities.
8
+ * ADMIN — manage tenant config, members, IdPs, domains, role mappings.
9
+ * OWNER — superset of ADMIN plus tenant.delete and tenant.suspend.
10
+ *
11
+ * Custom roles or per-tenant overrides are out of scope for MVP.
12
+ *
13
+ * Hierarchy invariant (asserted in tests):
14
+ * GUEST ⊂ MEMBER ⊂ ADMIN ⊂ OWNER.
15
+ */
16
+ Object.defineProperty(exports, "__esModule", { value: true });
17
+ exports.RoleGrants = void 0;
18
+ const capabilities_1 = require("./capabilities");
19
+ const GuestGrants = new Set([
20
+ capabilities_1.Capability.DomainView,
21
+ capabilities_1.Capability.EntityView,
22
+ capabilities_1.Capability.PostView,
23
+ ]);
24
+ const MemberGrants = new Set([
25
+ ...GuestGrants,
26
+ capabilities_1.Capability.MemberView,
27
+ capabilities_1.Capability.EntityCreate,
28
+ capabilities_1.Capability.EntityUpdate,
29
+ capabilities_1.Capability.EntityDelete,
30
+ capabilities_1.Capability.PostCreate,
31
+ capabilities_1.Capability.PostUpdate,
32
+ capabilities_1.Capability.PostDelete,
33
+ ]);
34
+ const AdminGrants = new Set([
35
+ ...MemberGrants,
36
+ capabilities_1.Capability.TenantUpdate,
37
+ capabilities_1.Capability.MemberInvite,
38
+ capabilities_1.Capability.MemberRemove,
39
+ capabilities_1.Capability.MemberChangeRole,
40
+ capabilities_1.Capability.MemberSuspend,
41
+ capabilities_1.Capability.IdpConfigure,
42
+ capabilities_1.Capability.IdpView,
43
+ capabilities_1.Capability.RoleMappingEdit,
44
+ capabilities_1.Capability.DomainAdd,
45
+ capabilities_1.Capability.DomainVerify,
46
+ capabilities_1.Capability.DomainRemove,
47
+ capabilities_1.Capability.PostModerate,
48
+ capabilities_1.Capability.AuditView,
49
+ capabilities_1.Capability.ManageAgentSessions,
50
+ ]);
51
+ const OwnerGrants = new Set([
52
+ ...AdminGrants,
53
+ capabilities_1.Capability.TenantDelete,
54
+ capabilities_1.Capability.TenantSuspend,
55
+ ]);
56
+ exports.RoleGrants = {
57
+ OWNER: OwnerGrants,
58
+ ADMIN: AdminGrants,
59
+ MEMBER: MemberGrants,
60
+ GUEST: GuestGrants,
61
+ };
62
+ //# sourceMappingURL=role-grants.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"role-grants.js","sourceRoot":"","sources":["../../../src/lib/auth/role-grants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAGH,iDAAkE;AAElE,MAAM,WAAW,GAAiC,IAAI,GAAG,CAAkB;IACzE,yBAAU,CAAC,UAAU;IACrB,yBAAU,CAAC,UAAU;IACrB,yBAAU,CAAC,QAAQ;CACpB,CAAC,CAAC;AAEH,MAAM,YAAY,GAAiC,IAAI,GAAG,CAAkB;IAC1E,GAAG,WAAW;IACd,yBAAU,CAAC,UAAU;IACrB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,UAAU;IACrB,yBAAU,CAAC,UAAU;IACrB,yBAAU,CAAC,UAAU;CACtB,CAAC,CAAC;AAEH,MAAM,WAAW,GAAiC,IAAI,GAAG,CAAkB;IACzE,GAAG,YAAY;IACf,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,gBAAgB;IAC3B,yBAAU,CAAC,aAAa;IACxB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,OAAO;IAClB,yBAAU,CAAC,eAAe;IAC1B,yBAAU,CAAC,SAAS;IACpB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,SAAS;IACpB,yBAAU,CAAC,mBAAmB;CAC/B,CAAC,CAAC;AAEH,MAAM,WAAW,GAAiC,IAAI,GAAG,CAAkB;IACzE,GAAG,WAAW;IACd,yBAAU,CAAC,YAAY;IACvB,yBAAU,CAAC,aAAa;CACzB,CAAC,CAAC;AAEU,QAAA,UAAU,GAAqD;IAC1E,KAAK,EAAE,WAAW;IAClB,KAAK,EAAE,WAAW;IAClB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,WAAW;CACnB,CAAC"}
@@ -0,0 +1,80 @@
1
+ /**
2
+ * Cognito Identity Provider SDK wrapper.
3
+ *
4
+ * The route handler talks to Cognito only through this surface so the
5
+ * Cognito-shaped commands stay in one place and the rollback paths in
6
+ * the route are easier to reason about.
7
+ *
8
+ * Concurrency: `setSupportedIdentityProviders` performs a
9
+ * Describe → mutate → Update sequence which is racy across concurrent
10
+ * connect/disconnect calls. The route handler must wrap the call in a
11
+ * Postgres advisory lock keyed on the user pool id; the helper
12
+ * `withUserPoolClientLock` here implements that pattern.
13
+ */
14
+ import { CognitoIdentityProviderClient } from "@aws-sdk/client-cognito-identity-provider";
15
+ import type { TenantRole } from "@prisma/client";
16
+ export interface OidcProviderDetails {
17
+ clientId: string;
18
+ clientSecret: string;
19
+ issuerUrl: string;
20
+ scopes?: string;
21
+ }
22
+ export interface IdpAttributeMapping {
23
+ email: string;
24
+ given_name?: string;
25
+ family_name?: string;
26
+ "custom:idpGroups"?: string;
27
+ [key: string]: string | undefined;
28
+ }
29
+ export interface CreateOidcProviderInput {
30
+ userPoolId: string;
31
+ providerName: string;
32
+ details: OidcProviderDetails;
33
+ attributeMapping: IdpAttributeMapping;
34
+ idpIdentifiers: string[];
35
+ }
36
+ export interface UpdateOidcProviderInput {
37
+ userPoolId: string;
38
+ providerName: string;
39
+ details?: Partial<OidcProviderDetails>;
40
+ attributeMapping?: IdpAttributeMapping;
41
+ idpIdentifiers?: string[];
42
+ }
43
+ /** Default attribute mapping per 04-cognito-federation.md §attribute-mapping. */
44
+ export declare function defaultOidcAttributeMapping(): IdpAttributeMapping;
45
+ export declare class CognitoIdpSdk {
46
+ private readonly client;
47
+ constructor(client: CognitoIdentityProviderClient);
48
+ createOidcProvider(input: CreateOidcProviderInput): Promise<void>;
49
+ updateOidcProvider(input: UpdateOidcProviderInput): Promise<void>;
50
+ deleteProvider(userPoolId: string, providerName: string): Promise<void>;
51
+ describeProvider(userPoolId: string, providerName: string): Promise<boolean>;
52
+ /**
53
+ * Read the app client's current `SupportedIdentityProviders`, mutate the
54
+ * list (add or remove `providerName`), and write it back. UpdateUserPoolClient
55
+ * is a full replace, so we carry the rest of the existing config through.
56
+ *
57
+ * NOT race-safe in isolation. The caller must hold an advisory lock
58
+ * keyed on (userPoolId, clientId).
59
+ */
60
+ setSupportedIdentityProvider(userPoolId: string, clientId: string, providerName: string, op: "add" | "remove"): Promise<void>;
61
+ }
62
+ /**
63
+ * Stable 64-bit advisory-lock key derived from the user pool id. Postgres
64
+ * `pg_advisory_xact_lock(bigint)` is used so the lock is auto-released at
65
+ * transaction end. We only need a single number — collisions on different
66
+ * pool ids would just mean false serialization, which is fine.
67
+ */
68
+ export declare function userPoolAdvisoryLockKey(userPoolId: string): bigint;
69
+ export interface AdvisoryLockClient {
70
+ $executeRaw(query: TemplateStringsArray, ...values: unknown[]): Promise<number>;
71
+ }
72
+ /**
73
+ * Run `fn` while holding a Postgres advisory lock keyed on the user pool id.
74
+ * Lock is released at the end of the wrapping transaction; the caller passes
75
+ * the inner `tx` from `prisma.$transaction((tx) => ...)`.
76
+ */
77
+ export declare function withUserPoolClientLock<T>(tx: AdvisoryLockClient, userPoolId: string, fn: () => Promise<T>): Promise<T>;
78
+ /** Mapper for tests; the route catalog references this for typing. */
79
+ export type IdpDefaultRole = TenantRole | null;
80
+ //# sourceMappingURL=idp-sdk.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"idp-sdk.d.ts","sourceRoot":"","sources":["../../../src/lib/cognito/idp-sdk.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EACL,6BAA6B,EAO9B,MAAM,2CAA2C,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC;AAED,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,mBAAmB,CAAC;IAC7B,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACvC,gBAAgB,CAAC,EAAE,mBAAmB,CAAC;IACvC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,iFAAiF;AACjF,wBAAgB,2BAA2B,IAAI,mBAAmB,CAOjE;AAaD,qBAAa,aAAa;IACZ,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,6BAA6B;IAE5D,kBAAkB,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAajE,kBAAkB,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBjE,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASvE,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBlF;;;;;;;OAOG;IACG,4BAA4B,CAChC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,EAAE,EAAE,KAAK,GAAG,QAAQ,GACnB,OAAO,CAAC,IAAI,CAAC;CAwCjB;AAoBD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAUlE;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,CAAC,KAAK,EAAE,oBAAoB,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACjF;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAC5C,EAAE,EAAE,kBAAkB,EACtB,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACnB,OAAO,CAAC,CAAC,CAAC,CAIZ;AAED,sEAAsE;AACtE,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,IAAI,CAAC"}
@@ -0,0 +1,186 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.CognitoIdpSdk = void 0;
4
+ exports.defaultOidcAttributeMapping = defaultOidcAttributeMapping;
5
+ exports.userPoolAdvisoryLockKey = userPoolAdvisoryLockKey;
6
+ exports.withUserPoolClientLock = withUserPoolClientLock;
7
+ /**
8
+ * Cognito Identity Provider SDK wrapper.
9
+ *
10
+ * The route handler talks to Cognito only through this surface so the
11
+ * Cognito-shaped commands stay in one place and the rollback paths in
12
+ * the route are easier to reason about.
13
+ *
14
+ * Concurrency: `setSupportedIdentityProviders` performs a
15
+ * Describe → mutate → Update sequence which is racy across concurrent
16
+ * connect/disconnect calls. The route handler must wrap the call in a
17
+ * Postgres advisory lock keyed on the user pool id; the helper
18
+ * `withUserPoolClientLock` here implements that pattern.
19
+ */
20
+ const client_cognito_identity_provider_1 = require("@aws-sdk/client-cognito-identity-provider");
21
+ /** Default attribute mapping per 04-cognito-federation.md §attribute-mapping. */
22
+ function defaultOidcAttributeMapping() {
23
+ return {
24
+ email: "email",
25
+ given_name: "given_name",
26
+ family_name: "family_name",
27
+ "custom:idpGroups": "groups",
28
+ };
29
+ }
30
+ function buildOidcProviderDetails(d) {
31
+ const out = {
32
+ client_id: d.clientId,
33
+ client_secret: d.clientSecret,
34
+ oidc_issuer: d.issuerUrl,
35
+ attributes_request_method: "GET",
36
+ authorize_scopes: d.scopes ?? "openid email profile groups",
37
+ };
38
+ return out;
39
+ }
40
+ class CognitoIdpSdk {
41
+ client;
42
+ constructor(client) {
43
+ this.client = client;
44
+ }
45
+ async createOidcProvider(input) {
46
+ await this.client.send(new client_cognito_identity_provider_1.CreateIdentityProviderCommand({
47
+ UserPoolId: input.userPoolId,
48
+ ProviderName: input.providerName,
49
+ ProviderType: "OIDC",
50
+ ProviderDetails: buildOidcProviderDetails(input.details),
51
+ AttributeMapping: stripUndefined(input.attributeMapping),
52
+ IdpIdentifiers: input.idpIdentifiers,
53
+ }));
54
+ }
55
+ async updateOidcProvider(input) {
56
+ const providerDetails = input.details
57
+ ? buildOidcProviderDetailsPartial(input.details)
58
+ : undefined;
59
+ await this.client.send(new client_cognito_identity_provider_1.UpdateIdentityProviderCommand({
60
+ UserPoolId: input.userPoolId,
61
+ ProviderName: input.providerName,
62
+ ...(providerDetails ? { ProviderDetails: providerDetails } : {}),
63
+ ...(input.attributeMapping
64
+ ? { AttributeMapping: stripUndefined(input.attributeMapping) }
65
+ : {}),
66
+ ...(input.idpIdentifiers ? { IdpIdentifiers: input.idpIdentifiers } : {}),
67
+ }));
68
+ }
69
+ async deleteProvider(userPoolId, providerName) {
70
+ await this.client.send(new client_cognito_identity_provider_1.DeleteIdentityProviderCommand({
71
+ UserPoolId: userPoolId,
72
+ ProviderName: providerName,
73
+ }));
74
+ }
75
+ async describeProvider(userPoolId, providerName) {
76
+ try {
77
+ await this.client.send(new client_cognito_identity_provider_1.DescribeIdentityProviderCommand({
78
+ UserPoolId: userPoolId,
79
+ ProviderName: providerName,
80
+ }));
81
+ return true;
82
+ }
83
+ catch (err) {
84
+ const name = err.name;
85
+ if (name === "ResourceNotFoundException")
86
+ return false;
87
+ throw err;
88
+ }
89
+ }
90
+ /**
91
+ * Read the app client's current `SupportedIdentityProviders`, mutate the
92
+ * list (add or remove `providerName`), and write it back. UpdateUserPoolClient
93
+ * is a full replace, so we carry the rest of the existing config through.
94
+ *
95
+ * NOT race-safe in isolation. The caller must hold an advisory lock
96
+ * keyed on (userPoolId, clientId).
97
+ */
98
+ async setSupportedIdentityProvider(userPoolId, clientId, providerName, op) {
99
+ const desc = await this.client.send(new client_cognito_identity_provider_1.DescribeUserPoolClientCommand({ UserPoolId: userPoolId, ClientId: clientId }));
100
+ const existing = desc.UserPoolClient;
101
+ if (!existing)
102
+ throw new Error("DescribeUserPoolClient returned no client");
103
+ const current = existing.SupportedIdentityProviders ?? [];
104
+ const set = new Set(current);
105
+ if (op === "add")
106
+ set.add(providerName);
107
+ else
108
+ set.delete(providerName);
109
+ const next = Array.from(set);
110
+ await this.client.send(new client_cognito_identity_provider_1.UpdateUserPoolClientCommand({
111
+ UserPoolId: userPoolId,
112
+ ClientId: clientId,
113
+ ClientName: existing.ClientName,
114
+ AccessTokenValidity: existing.AccessTokenValidity,
115
+ IdTokenValidity: existing.IdTokenValidity,
116
+ RefreshTokenValidity: existing.RefreshTokenValidity,
117
+ TokenValidityUnits: existing.TokenValidityUnits,
118
+ ReadAttributes: existing.ReadAttributes,
119
+ WriteAttributes: existing.WriteAttributes,
120
+ ExplicitAuthFlows: existing.ExplicitAuthFlows,
121
+ AllowedOAuthFlows: existing.AllowedOAuthFlows,
122
+ AllowedOAuthScopes: existing.AllowedOAuthScopes,
123
+ AllowedOAuthFlowsUserPoolClient: existing.AllowedOAuthFlowsUserPoolClient,
124
+ CallbackURLs: existing.CallbackURLs,
125
+ LogoutURLs: existing.LogoutURLs,
126
+ DefaultRedirectURI: existing.DefaultRedirectURI,
127
+ PreventUserExistenceErrors: existing.PreventUserExistenceErrors,
128
+ EnableTokenRevocation: existing.EnableTokenRevocation,
129
+ EnablePropagateAdditionalUserContextData: existing.EnablePropagateAdditionalUserContextData,
130
+ AuthSessionValidity: existing.AuthSessionValidity,
131
+ SupportedIdentityProviders: next,
132
+ }));
133
+ }
134
+ }
135
+ exports.CognitoIdpSdk = CognitoIdpSdk;
136
+ function buildOidcProviderDetailsPartial(d) {
137
+ const out = {};
138
+ if (d.clientId)
139
+ out.client_id = d.clientId;
140
+ if (d.clientSecret)
141
+ out.client_secret = d.clientSecret;
142
+ if (d.issuerUrl)
143
+ out.oidc_issuer = d.issuerUrl;
144
+ if (d.scopes)
145
+ out.authorize_scopes = d.scopes;
146
+ if (Object.keys(out).length > 0)
147
+ out.attributes_request_method = "GET";
148
+ return out;
149
+ }
150
+ function stripUndefined(map) {
151
+ const out = {};
152
+ for (const [k, v] of Object.entries(map)) {
153
+ if (typeof v === "string")
154
+ out[k] = v;
155
+ }
156
+ return out;
157
+ }
158
+ /**
159
+ * Stable 64-bit advisory-lock key derived from the user pool id. Postgres
160
+ * `pg_advisory_xact_lock(bigint)` is used so the lock is auto-released at
161
+ * transaction end. We only need a single number — collisions on different
162
+ * pool ids would just mean false serialization, which is fine.
163
+ */
164
+ function userPoolAdvisoryLockKey(userPoolId) {
165
+ let h = 0xcbf29ce484222325n;
166
+ const PRIME = 0x100000001b3n;
167
+ const MASK = 0xffffffffffffffffn;
168
+ for (let i = 0; i < userPoolId.length; i++) {
169
+ h = (h ^ BigInt(userPoolId.charCodeAt(i))) & MASK;
170
+ h = (h * PRIME) & MASK;
171
+ }
172
+ if (h >= 0x8000000000000000n)
173
+ h = h - 0x10000000000000000n;
174
+ return h;
175
+ }
176
+ /**
177
+ * Run `fn` while holding a Postgres advisory lock keyed on the user pool id.
178
+ * Lock is released at the end of the wrapping transaction; the caller passes
179
+ * the inner `tx` from `prisma.$transaction((tx) => ...)`.
180
+ */
181
+ async function withUserPoolClientLock(tx, userPoolId, fn) {
182
+ const key = userPoolAdvisoryLockKey(userPoolId);
183
+ await tx.$executeRaw `SELECT pg_advisory_xact_lock(${key}::bigint)`;
184
+ return fn();
185
+ }
186
+ //# sourceMappingURL=idp-sdk.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"idp-sdk.js","sourceRoot":"","sources":["../../../src/lib/cognito/idp-sdk.ts"],"names":[],"mappings":";;;AAwDA,kEAOC;AAsJD,0DAUC;AAWD,wDAQC;AAlPD;;;;;;;;;;;;GAYG;AACH,gGAQmD;AAkCnD,iFAAiF;AACjF,SAAgB,2BAA2B;IACzC,OAAO;QACL,KAAK,EAAE,OAAO;QACd,UAAU,EAAE,YAAY;QACxB,WAAW,EAAE,aAAa;QAC1B,kBAAkB,EAAE,QAAQ;KAC7B,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,CAAsB;IACtD,MAAM,GAAG,GAA2B;QAClC,SAAS,EAAE,CAAC,CAAC,QAAQ;QACrB,aAAa,EAAE,CAAC,CAAC,YAAY;QAC7B,WAAW,EAAE,CAAC,CAAC,SAAS;QACxB,yBAAyB,EAAE,KAAK;QAChC,gBAAgB,EAAE,CAAC,CAAC,MAAM,IAAI,6BAA6B;KAC5D,CAAC;IACF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAa,aAAa;IACK;IAA7B,YAA6B,MAAqC;QAArC,WAAM,GAAN,MAAM,CAA+B;IAAG,CAAC;IAEtE,KAAK,CAAC,kBAAkB,CAAC,KAA8B;QACrD,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,gEAA6B,CAAC;YAChC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,YAAY,EAAE,MAAM;YACpB,eAAe,EAAE,wBAAwB,CAAC,KAAK,CAAC,OAAO,CAAC;YACxD,gBAAgB,EAAE,cAAc,CAAC,KAAK,CAAC,gBAAgB,CAAC;YACxD,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAA8B;QACrD,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO;YACnC,CAAC,CAAC,+BAA+B,CAAC,KAAK,CAAC,OAAO,CAAC;YAChD,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,gEAA6B,CAAC;YAChC,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,GAAG,CAAC,KAAK,CAAC,gBAAgB;gBACxB,CAAC,CAAC,EAAE,gBAAgB,EAAE,cAAc,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE;gBAC9D,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1E,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,UAAkB,EAAE,YAAoB;QAC3D,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,gEAA6B,CAAC;YAChC,UAAU,EAAE,UAAU;YACtB,YAAY,EAAE,YAAY;SAC3B,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,UAAkB,EAAE,YAAoB;QAC7D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,kEAA+B,CAAC;gBAClC,UAAU,EAAE,UAAU;gBACtB,YAAY,EAAE,YAAY;aAC3B,CAAC,CACH,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,GAAI,GAAyB,CAAC,IAAI,CAAC;YAC7C,IAAI,IAAI,KAAK,2BAA2B;gBAAE,OAAO,KAAK,CAAC;YACvD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,4BAA4B,CAChC,UAAkB,EAClB,QAAgB,EAChB,YAAoB,EACpB,EAAoB;QAEpB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACjC,IAAI,gEAA6B,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAClF,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC;QACrC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,QAAQ,CAAC,0BAA0B,IAAI,EAAE,CAAC;QAC1D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,KAAK;YAAE,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;;YACnC,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,8DAA2B,CAAC;YAC9B,UAAU,EAAE,UAAU;YACtB,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;YACjD,eAAe,EAAE,QAAQ,CAAC,eAAe;YACzC,oBAAoB,EAAE,QAAQ,CAAC,oBAAoB;YACnD,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;YAC/C,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,eAAe,EAAE,QAAQ,CAAC,eAAe;YACzC,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;YAC/C,+BAA+B,EAAE,QAAQ,CAAC,+BAA+B;YACzE,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;YAC/C,0BAA0B,EAAE,QAAQ,CAAC,0BAA0B;YAC/D,qBAAqB,EAAE,QAAQ,CAAC,qBAAqB;YACrD,wCAAwC,EACtC,QAAQ,CAAC,wCAAwC;YACnD,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;YACjD,0BAA0B,EAAE,IAAI;SACjC,CAAC,CACH,CAAC;IACJ,CAAC;CACF;AA/GD,sCA+GC;AAED,SAAS,+BAA+B,CAAC,CAA+B;IACtE,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,CAAC,QAAQ;QAAE,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC3C,IAAI,CAAC,CAAC,YAAY;QAAE,GAAG,CAAC,aAAa,GAAG,CAAC,CAAC,YAAY,CAAC;IACvD,IAAI,CAAC,CAAC,SAAS;QAAE,GAAG,CAAC,WAAW,GAAG,CAAC,CAAC,SAAS,CAAC;IAC/C,IAAI,CAAC,CAAC,MAAM;QAAE,GAAG,CAAC,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,GAAG,CAAC,yBAAyB,GAAG,KAAK,CAAC;IACvE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CAAC,GAAuC;IAC7D,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uBAAuB,CAAC,UAAkB;IACxD,IAAI,CAAC,GAAG,mBAAmB,CAAC;IAC5B,MAAM,KAAK,GAAG,cAAc,CAAC;IAC7B,MAAM,IAAI,GAAG,mBAAmB,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QAClD,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,IAAI,CAAC;IACzB,CAAC;IACD,IAAI,CAAC,IAAI,mBAAmB;QAAE,CAAC,GAAG,CAAC,GAAG,oBAAoB,CAAC;IAC3D,OAAO,CAAC,CAAC;AACX,CAAC;AAMD;;;;GAIG;AACI,KAAK,UAAU,sBAAsB,CAC1C,EAAsB,EACtB,UAAkB,EAClB,EAAoB;IAEpB,MAAM,GAAG,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,EAAE,CAAC,WAAW,CAAA,gCAAgC,GAAG,WAAW,CAAC;IACnE,OAAO,EAAE,EAAE,CAAC;AACd,CAAC"}
@@ -0,0 +1,47 @@
1
+ export type IssuerProbeFailureReason = "INVALID_URL" | "INSECURE_SCHEME" | "PRIVATE_HOST" | "DNS_ERROR" | "REDIRECT_BLOCKED" | "HTTP_ERROR" | "BODY_TOO_LARGE" | "INVALID_JSON" | "MISSING_ENDPOINTS" | "TIMEOUT" | "NETWORK_ERROR";
2
+ export interface IssuerProbeSuccess {
3
+ ok: true;
4
+ issuer: string;
5
+ authorizationEndpoint: string;
6
+ tokenEndpoint: string;
7
+ jwksUri: string;
8
+ userinfoEndpoint?: string;
9
+ }
10
+ export interface IssuerProbeFailure {
11
+ ok: false;
12
+ reason: IssuerProbeFailureReason;
13
+ message: string;
14
+ }
15
+ export type IssuerProbeResult = IssuerProbeSuccess | IssuerProbeFailure;
16
+ export interface IssuerProbeOptions {
17
+ /** Override the fetch implementation (tests). */
18
+ fetchImpl?: typeof fetch;
19
+ /** Override the DNS resolver (tests). */
20
+ resolveHostname?: (hostname: string) => Promise<string[]>;
21
+ /** Override the timeout in ms. Defaults to 5000. */
22
+ timeoutMs?: number;
23
+ /**
24
+ * Override the pinned-dispatcher factory (tests). Production binds this to
25
+ * `defaultPinnedDispatcher`, which builds a undici Agent whose connect.lookup
26
+ * returns the validated IP — preventing DNS-rebinding TOCTOU between the
27
+ * private-IP check and the actual TCP connect.
28
+ */
29
+ dispatcherFactory?: (validatedIp: string, family: 4 | 6) => unknown;
30
+ }
31
+ /**
32
+ * Returns true if the IPv4 address is in any RFC 6890 special-purpose range
33
+ * we want to refuse: loopback, private, link-local, broadcast, etc.
34
+ */
35
+ export declare function isPrivateIPv4(ip: string): boolean;
36
+ /**
37
+ * Returns true if the IPv6 address is in a private/loopback/link-local/etc.
38
+ * range. Performs a normalized prefix comparison; we expand `::` and ignore
39
+ * zone identifiers.
40
+ */
41
+ export declare function isPrivateIPv6(ip: string): boolean;
42
+ /**
43
+ * Probe an OIDC issuer's well-known configuration. Returns a discriminated
44
+ * result; callers map failures onto 422 with a remediation message.
45
+ */
46
+ export declare function probeOidcIssuer(issuerUrl: string, options?: IssuerProbeOptions): Promise<IssuerProbeResult>;
47
+ //# sourceMappingURL=issuer-probe.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"issuer-probe.d.ts","sourceRoot":"","sources":["../../../src/lib/cognito/issuer-probe.ts"],"names":[],"mappings":"AAyBA,MAAM,MAAM,wBAAwB,GAChC,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,WAAW,GACX,kBAAkB,GAClB,YAAY,GACZ,gBAAgB,GAChB,cAAc,GACd,mBAAmB,GACnB,SAAS,GACT,eAAe,CAAC;AAEpB,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,IAAI,CAAC;IACT,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,wBAAwB,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,kBAAkB,CAAC;AAExE,MAAM,WAAW,kBAAkB;IACjC,iDAAiD;IACjD,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,yCAAyC;IACzC,eAAe,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC;CACrE;AAWD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAiBjD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAkCjD;AAmCD;;;GAGG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CA2E5B"}