@de-otio/trellis 0.6.1 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +7 -5
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -0,0 +1,319 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.isPrivateIPv4 = isPrivateIPv4;
|
|
4
|
+
exports.isPrivateIPv6 = isPrivateIPv6;
|
|
5
|
+
exports.probeOidcIssuer = probeOidcIssuer;
|
|
6
|
+
/**
|
|
7
|
+
* OIDC issuer probe.
|
|
8
|
+
*
|
|
9
|
+
* Before registering an OIDC IdP with Cognito, GET the issuer's well-known
|
|
10
|
+
* configuration to confirm the URL points at a working OIDC provider.
|
|
11
|
+
*
|
|
12
|
+
* Security constraints (T5 — issuer probe is the trellis HTTP egress surface
|
|
13
|
+
* most exposed to admin-supplied URLs):
|
|
14
|
+
* - HTTPS only.
|
|
15
|
+
* - Hostname must resolve to a non-private, non-loopback, non-link-local IP
|
|
16
|
+
* (RFC 6890). Both IPv4 and IPv6 are checked.
|
|
17
|
+
* - HTTP redirects are rejected (`redirect: "manual"`); we never follow.
|
|
18
|
+
* - Response body is capped at 1 MiB.
|
|
19
|
+
* - Timeout 5 s.
|
|
20
|
+
* - Body must be JSON with the required OIDC discovery fields.
|
|
21
|
+
*/
|
|
22
|
+
const node_dns_1 = require("node:dns");
|
|
23
|
+
const node_net_1 = require("node:net");
|
|
24
|
+
const undici_1 = require("undici");
|
|
25
|
+
const PROBE_TIMEOUT_MS = 5000;
|
|
26
|
+
const MAX_BODY_BYTES = 1024 * 1024;
|
|
27
|
+
const MAX_ISSUER_URL_LENGTH = 2048;
|
|
28
|
+
const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
|
|
29
|
+
function fail(reason, message) {
|
|
30
|
+
return { ok: false, reason, message };
|
|
31
|
+
}
|
|
32
|
+
function defaultResolve(hostname) {
|
|
33
|
+
return node_dns_1.promises.lookup(hostname, { all: true, verbatim: true })
|
|
34
|
+
.then((addrs) => addrs.map((a) => a.address));
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Returns true if the IPv4 address is in any RFC 6890 special-purpose range
|
|
38
|
+
* we want to refuse: loopback, private, link-local, broadcast, etc.
|
|
39
|
+
*/
|
|
40
|
+
function isPrivateIPv4(ip) {
|
|
41
|
+
const m = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(ip);
|
|
42
|
+
if (!m)
|
|
43
|
+
return false;
|
|
44
|
+
const o = m.slice(1, 5).map((s) => Number(s));
|
|
45
|
+
if (o.some((x) => x < 0 || x > 255))
|
|
46
|
+
return true;
|
|
47
|
+
const [a, b] = [o[0], o[1]];
|
|
48
|
+
if (a === 0)
|
|
49
|
+
return true;
|
|
50
|
+
if (a === 10)
|
|
51
|
+
return true;
|
|
52
|
+
if (a === 127)
|
|
53
|
+
return true;
|
|
54
|
+
if (a === 169 && b === 254)
|
|
55
|
+
return true;
|
|
56
|
+
if (a === 172 && b >= 16 && b <= 31)
|
|
57
|
+
return true;
|
|
58
|
+
if (a === 192 && b === 0)
|
|
59
|
+
return true;
|
|
60
|
+
if (a === 192 && b === 168)
|
|
61
|
+
return true;
|
|
62
|
+
if (a === 198 && (b === 18 || b === 19))
|
|
63
|
+
return true;
|
|
64
|
+
if (a === 100 && b >= 64 && b <= 127)
|
|
65
|
+
return true;
|
|
66
|
+
if (a >= 224)
|
|
67
|
+
return true;
|
|
68
|
+
return false;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Returns true if the IPv6 address is in a private/loopback/link-local/etc.
|
|
72
|
+
* range. Performs a normalized prefix comparison; we expand `::` and ignore
|
|
73
|
+
* zone identifiers.
|
|
74
|
+
*/
|
|
75
|
+
function isPrivateIPv6(ip) {
|
|
76
|
+
if (!ip.includes(":"))
|
|
77
|
+
return false;
|
|
78
|
+
const stripped = ip.split("%")[0].toLowerCase();
|
|
79
|
+
if (stripped === "::1" || stripped === "::")
|
|
80
|
+
return true;
|
|
81
|
+
const segs = expandIPv6(stripped);
|
|
82
|
+
if (!segs)
|
|
83
|
+
return true;
|
|
84
|
+
if (segs[0] === 0 && segs.slice(0, 7).every((s) => s === 0) && segs[7] === 1)
|
|
85
|
+
return true;
|
|
86
|
+
if ((segs[0] & 0xfe00) === 0xfc00)
|
|
87
|
+
return true;
|
|
88
|
+
if ((segs[0] & 0xffc0) === 0xfe80)
|
|
89
|
+
return true;
|
|
90
|
+
if ((segs[0] & 0xff00) === 0xff00)
|
|
91
|
+
return true;
|
|
92
|
+
// 2001:db8::/32 — RFC 3849 documentation prefix; not routable, must not
|
|
93
|
+
// be reachable from the issuer probe.
|
|
94
|
+
if (segs[0] === 0x2001 && segs[1] === 0x0db8)
|
|
95
|
+
return true;
|
|
96
|
+
if (segs[0] === 0 &&
|
|
97
|
+
segs[1] === 0 &&
|
|
98
|
+
segs[2] === 0 &&
|
|
99
|
+
segs[3] === 0 &&
|
|
100
|
+
segs[4] === 0 &&
|
|
101
|
+
segs[5] === 0xffff) {
|
|
102
|
+
const v4 = `${(segs[6] >> 8) & 0xff}.${segs[6] & 0xff}.${(segs[7] >> 8) & 0xff}.${segs[7] & 0xff}`;
|
|
103
|
+
return isPrivateIPv4(v4);
|
|
104
|
+
}
|
|
105
|
+
return false;
|
|
106
|
+
}
|
|
107
|
+
function expandIPv6(ip) {
|
|
108
|
+
let work = ip;
|
|
109
|
+
let v4Tail = null;
|
|
110
|
+
const v4Match = /([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})$/.exec(work);
|
|
111
|
+
if (v4Match) {
|
|
112
|
+
const o = v4Match[1].split(".").map((s) => Number(s));
|
|
113
|
+
if (o.some((x) => Number.isNaN(x) || x < 0 || x > 255))
|
|
114
|
+
return null;
|
|
115
|
+
v4Tail = [(o[0] << 8) | o[1], (o[2] << 8) | o[3]];
|
|
116
|
+
work = work.slice(0, work.length - v4Match[1].length).replace(/:$/, "");
|
|
117
|
+
}
|
|
118
|
+
const parts = work.split("::");
|
|
119
|
+
if (parts.length > 2)
|
|
120
|
+
return null;
|
|
121
|
+
const head = parts[0] ? parts[0].split(":") : [];
|
|
122
|
+
const tail = parts.length === 2 && parts[1] ? parts[1].split(":") : [];
|
|
123
|
+
const totalAfterHeadTail = head.length + tail.length + (v4Tail ? 2 : 0);
|
|
124
|
+
const missing = 8 - totalAfterHeadTail;
|
|
125
|
+
if (parts.length === 2) {
|
|
126
|
+
if (missing < 0)
|
|
127
|
+
return null;
|
|
128
|
+
}
|
|
129
|
+
else if (missing !== 0) {
|
|
130
|
+
return null;
|
|
131
|
+
}
|
|
132
|
+
const fill = parts.length === 2 ? new Array(missing).fill("0") : [];
|
|
133
|
+
const filled = [...head, ...fill, ...tail];
|
|
134
|
+
const out = [];
|
|
135
|
+
for (const s of filled) {
|
|
136
|
+
if (!/^[0-9a-f]{0,4}$/.test(s))
|
|
137
|
+
return null;
|
|
138
|
+
out.push(parseInt(s || "0", 16));
|
|
139
|
+
}
|
|
140
|
+
if (v4Tail)
|
|
141
|
+
out.push(v4Tail[0], v4Tail[1]);
|
|
142
|
+
if (out.length !== 8)
|
|
143
|
+
return null;
|
|
144
|
+
return out;
|
|
145
|
+
}
|
|
146
|
+
/**
|
|
147
|
+
* Probe an OIDC issuer's well-known configuration. Returns a discriminated
|
|
148
|
+
* result; callers map failures onto 422 with a remediation message.
|
|
149
|
+
*/
|
|
150
|
+
async function probeOidcIssuer(issuerUrl, options = {}) {
|
|
151
|
+
const timeoutMs = options.timeoutMs ?? PROBE_TIMEOUT_MS;
|
|
152
|
+
if (issuerUrl.length > MAX_ISSUER_URL_LENGTH) {
|
|
153
|
+
return fail("INVALID_URL", "issuerUrl exceeds maximum length");
|
|
154
|
+
}
|
|
155
|
+
let url;
|
|
156
|
+
try {
|
|
157
|
+
url = new URL(issuerUrl);
|
|
158
|
+
}
|
|
159
|
+
catch {
|
|
160
|
+
return fail("INVALID_URL", "issuerUrl must be a valid absolute URL");
|
|
161
|
+
}
|
|
162
|
+
if (url.protocol !== "https:") {
|
|
163
|
+
return fail("INSECURE_SCHEME", "issuerUrl must use https://");
|
|
164
|
+
}
|
|
165
|
+
if (url.username || url.password) {
|
|
166
|
+
return fail("INVALID_URL", "issuerUrl must not include credentials");
|
|
167
|
+
}
|
|
168
|
+
const hostname = url.hostname.replace(/^\[|\]$/g, "");
|
|
169
|
+
const resolve = options.resolveHostname ?? defaultResolve;
|
|
170
|
+
let addresses;
|
|
171
|
+
try {
|
|
172
|
+
addresses = await resolve(hostname);
|
|
173
|
+
}
|
|
174
|
+
catch {
|
|
175
|
+
return fail("DNS_ERROR", "Could not resolve issuerUrl hostname");
|
|
176
|
+
}
|
|
177
|
+
if (addresses.length === 0) {
|
|
178
|
+
return fail("DNS_ERROR", "Could not resolve issuerUrl hostname");
|
|
179
|
+
}
|
|
180
|
+
for (const addr of addresses) {
|
|
181
|
+
if (addr.includes(":")) {
|
|
182
|
+
if (isPrivateIPv6(addr)) {
|
|
183
|
+
return fail("PRIVATE_HOST", "issuerUrl resolves to a private or loopback IP");
|
|
184
|
+
}
|
|
185
|
+
}
|
|
186
|
+
else {
|
|
187
|
+
if (isPrivateIPv4(addr)) {
|
|
188
|
+
return fail("PRIVATE_HOST", "issuerUrl resolves to a private or loopback IP");
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
// Pin the connect step to the IP we just validated. Without this, Node's
|
|
193
|
+
// fetch performs its own DNS lookup at request time, which lets a TTL=0
|
|
194
|
+
// attacker swap the public IP for a private one between validate and
|
|
195
|
+
// connect (DNS-rebinding TOCTOU).
|
|
196
|
+
const validatedIp = addresses[0];
|
|
197
|
+
const validatedFamily = (0, node_net_1.isIP)(validatedIp);
|
|
198
|
+
const baseHref = url.toString().endsWith("/") ? url.toString() : url.toString() + "/";
|
|
199
|
+
const probeUrl = baseHref + ".well-known/openid-configuration";
|
|
200
|
+
const fetchImpl = options.fetchImpl ?? fetch;
|
|
201
|
+
const controller = new AbortController();
|
|
202
|
+
const timer = setTimeout(() => controller.abort(), timeoutMs);
|
|
203
|
+
const factory = options.dispatcherFactory ?? defaultPinnedDispatcher;
|
|
204
|
+
let pinnedDispatcher;
|
|
205
|
+
if (validatedFamily === 4 || validatedFamily === 6) {
|
|
206
|
+
pinnedDispatcher = factory(validatedIp, validatedFamily);
|
|
207
|
+
}
|
|
208
|
+
try {
|
|
209
|
+
return await runProbe(probeUrl, fetchImpl, controller, timer, pinnedDispatcher);
|
|
210
|
+
}
|
|
211
|
+
finally {
|
|
212
|
+
if (pinnedDispatcher && typeof pinnedDispatcher.close === "function") {
|
|
213
|
+
await pinnedDispatcher
|
|
214
|
+
.close()
|
|
215
|
+
.catch(() => undefined);
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
}
|
|
219
|
+
function defaultPinnedDispatcher(validatedIp, family) {
|
|
220
|
+
return new undici_1.Agent({
|
|
221
|
+
connect: {
|
|
222
|
+
lookup: (_hostname, _opts, cb) => cb(null, validatedIp, family),
|
|
223
|
+
},
|
|
224
|
+
});
|
|
225
|
+
}
|
|
226
|
+
async function runProbe(probeUrl, fetchImpl, controller, timer, pinnedDispatcher) {
|
|
227
|
+
let response;
|
|
228
|
+
try {
|
|
229
|
+
const init = {
|
|
230
|
+
method: "GET",
|
|
231
|
+
redirect: "manual",
|
|
232
|
+
headers: { accept: "application/json" },
|
|
233
|
+
signal: controller.signal,
|
|
234
|
+
};
|
|
235
|
+
if (pinnedDispatcher) {
|
|
236
|
+
init.dispatcher = pinnedDispatcher;
|
|
237
|
+
}
|
|
238
|
+
response = await fetchImpl(probeUrl, init);
|
|
239
|
+
}
|
|
240
|
+
catch (err) {
|
|
241
|
+
clearTimeout(timer);
|
|
242
|
+
if (err.name === "AbortError") {
|
|
243
|
+
return fail("TIMEOUT", "Probe timed out");
|
|
244
|
+
}
|
|
245
|
+
return fail("NETWORK_ERROR", "Could not reach issuerUrl");
|
|
246
|
+
}
|
|
247
|
+
clearTimeout(timer);
|
|
248
|
+
if (response.status >= 300 && response.status < 400) {
|
|
249
|
+
return fail("REDIRECT_BLOCKED", "issuerUrl responded with a redirect; redirects are not followed");
|
|
250
|
+
}
|
|
251
|
+
if (!response.ok) {
|
|
252
|
+
return fail("HTTP_ERROR", `Issuer returned HTTP ${response.status}`);
|
|
253
|
+
}
|
|
254
|
+
const reader = response.body?.getReader();
|
|
255
|
+
if (!reader) {
|
|
256
|
+
return fail("NETWORK_ERROR", "Empty response body");
|
|
257
|
+
}
|
|
258
|
+
const chunks = [];
|
|
259
|
+
let total = 0;
|
|
260
|
+
try {
|
|
261
|
+
for (;;) {
|
|
262
|
+
const { value, done } = await reader.read();
|
|
263
|
+
if (done)
|
|
264
|
+
break;
|
|
265
|
+
if (value) {
|
|
266
|
+
total += value.length;
|
|
267
|
+
if (total > MAX_BODY_BYTES) {
|
|
268
|
+
await reader.cancel().catch(() => { });
|
|
269
|
+
return fail("BODY_TOO_LARGE", "Issuer response exceeded 1 MiB");
|
|
270
|
+
}
|
|
271
|
+
chunks.push(value);
|
|
272
|
+
}
|
|
273
|
+
}
|
|
274
|
+
}
|
|
275
|
+
catch {
|
|
276
|
+
return fail("NETWORK_ERROR", "Failed reading issuer response");
|
|
277
|
+
}
|
|
278
|
+
const body = new TextDecoder("utf-8").decode(concat(chunks));
|
|
279
|
+
let json;
|
|
280
|
+
try {
|
|
281
|
+
json = JSON.parse(body);
|
|
282
|
+
}
|
|
283
|
+
catch {
|
|
284
|
+
return fail("INVALID_JSON", "Issuer response was not valid JSON");
|
|
285
|
+
}
|
|
286
|
+
if (typeof json !== "object" || json === null || Array.isArray(json)) {
|
|
287
|
+
return fail("INVALID_JSON", "Issuer response was not a JSON object");
|
|
288
|
+
}
|
|
289
|
+
const conf = json;
|
|
290
|
+
const issuer = typeof conf.issuer === "string" ? conf.issuer : "";
|
|
291
|
+
const authorizationEndpoint = typeof conf.authorization_endpoint === "string" ? conf.authorization_endpoint : "";
|
|
292
|
+
const tokenEndpoint = typeof conf.token_endpoint === "string" ? conf.token_endpoint : "";
|
|
293
|
+
const jwksUri = typeof conf.jwks_uri === "string" ? conf.jwks_uri : "";
|
|
294
|
+
const userinfoEndpoint = typeof conf.userinfo_endpoint === "string" ? conf.userinfo_endpoint : undefined;
|
|
295
|
+
if (!issuer || !authorizationEndpoint || !tokenEndpoint || !jwksUri) {
|
|
296
|
+
return fail("MISSING_ENDPOINTS", "Issuer well-known is missing one of: issuer, authorization_endpoint, token_endpoint, jwks_uri");
|
|
297
|
+
}
|
|
298
|
+
return {
|
|
299
|
+
ok: true,
|
|
300
|
+
issuer,
|
|
301
|
+
authorizationEndpoint,
|
|
302
|
+
tokenEndpoint,
|
|
303
|
+
jwksUri,
|
|
304
|
+
...(userinfoEndpoint ? { userinfoEndpoint } : {}),
|
|
305
|
+
};
|
|
306
|
+
}
|
|
307
|
+
function concat(chunks) {
|
|
308
|
+
let total = 0;
|
|
309
|
+
for (const c of chunks)
|
|
310
|
+
total += c.length;
|
|
311
|
+
const out = new Uint8Array(total);
|
|
312
|
+
let off = 0;
|
|
313
|
+
for (const c of chunks) {
|
|
314
|
+
out.set(c, off);
|
|
315
|
+
off += c.length;
|
|
316
|
+
}
|
|
317
|
+
return out;
|
|
318
|
+
}
|
|
319
|
+
//# sourceMappingURL=issuer-probe.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"issuer-probe.js","sourceRoot":"","sources":["../../../src/lib/cognito/issuer-probe.ts"],"names":[],"mappings":";;AAoFA,sCAiBC;AAOD,sCAkCC;AAuCD,0CA8EC;AAnQD;;;;;;;;;;;;;;;GAeG;AACH,uCAA2C;AAC3C,uCAAgC;AAChC,mCAA+B;AAE/B,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,cAAc,GAAG,IAAI,GAAG,IAAI,CAAC;AACnC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AACnC,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAgD5D,SAAS,IAAI,CAAC,MAAgC,EAAE,OAAe;IAC7D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,OAAO,mBAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;SACvD,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,EAAU;IACtC,MAAM,CAAC,GAAG,8CAA8C,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAE,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAC1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,EAAU;IACtC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC;IAEjD,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAEzD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1F,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEhD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEhD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEhD,wEAAwE;IACxE,sCAAsC;IACtC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAE1D,IACE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,EAClB,CAAC;QACD,MAAM,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,CAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,CAAE,GAAG,IAAI,EAAE,CAAC;QACvG,OAAO,aAAa,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,EAAU;IAC5B,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,IAAI,MAAM,GAA4B,IAAI,CAAC;IAC3C,MAAM,OAAO,GAAG,mDAAmD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACpE,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;QACtD,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACjD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,CAAC,GAAG,kBAAkB,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAS,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5E,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,MAAM;QAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,eAAe,CACnC,SAAiB,EACjB,UAA8B,EAAE;IAEhC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,gBAAgB,CAAC;IAExD,IAAI,SAAS,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC,aAAa,EAAE,kCAAkC,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,aAAa,EAAE,wCAAwC,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,iBAAiB,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC,aAAa,EAAE,wCAAwC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,OAAO,CAAC,eAAe,IAAI,cAAc,CAAC;IAE1D,IAAI,SAAmB,CAAC;IACxB,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,WAAW,EAAE,sCAAsC,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,WAAW,EAAE,sCAAsC,CAAC,CAAC;IACnE,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,cAAc,EAAE,gDAAgD,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,cAAc,EAAE,gDAAgD,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,wEAAwE;IACxE,qEAAqE;IACrE,kCAAkC;IAClC,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IAClC,MAAM,eAAe,GAAG,IAAA,eAAI,EAAC,WAAW,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,GAAG,CAAC;IACtF,MAAM,QAAQ,GAAG,QAAQ,GAAG,kCAAkC,CAAC;IAE/D,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;IAC7C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAE9D,MAAM,OAAO,GAAG,OAAO,CAAC,iBAAiB,IAAI,uBAAuB,CAAC;IACrE,IAAI,gBAAyB,CAAC;IAC9B,IAAI,eAAe,KAAK,CAAC,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QACnD,gBAAgB,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAClF,CAAC;YAAS,CAAC;QACT,IAAI,gBAAgB,IAAI,OAAQ,gBAAoD,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC1G,MAAO,gBAAmD;iBACvD,KAAK,EAAE;iBACP,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,WAAmB,EAAE,MAAa;IACjE,OAAO,IAAI,cAAK,CAAC;QACf,OAAO,EAAE;YACP,MAAM,EAAE,CACN,SAAiB,EACjB,KAAc,EACd,EAAgF,EAChF,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC;SACnC;KACF,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,QAAgB,EAChB,SAAuB,EACvB,UAA2B,EAC3B,KAAqB,EACrB,gBAAyB;IAEzB,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,IAAI,GAA2C;YACnD,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC;QACF,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC;QACrC,CAAC;QACD,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,IAAK,GAAyB,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,CAAC,eAAe,EAAE,2BAA2B,CAAC,CAAC;IAC5D,CAAC;IACD,YAAY,CAAC,KAAK,CAAC,CAAC;IAEpB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC,kBAAkB,EAAE,iEAAiE,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC,YAAY,EAAE,wBAAwB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC,eAAe,EAAE,qBAAqB,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,CAAC;QACH,SAAS,CAAC;YACR,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC;gBACtB,IAAI,KAAK,GAAG,cAAc,EAAE,CAAC;oBAC3B,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;oBACtC,OAAO,IAAI,CAAC,gBAAgB,EAAE,gCAAgC,CAAC,CAAC;gBAClE,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7D,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,cAAc,EAAE,oCAAoC,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,CAAC,cAAc,EAAE,uCAAuC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,IAA+B,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,MAAM,qBAAqB,GACzB,OAAO,IAAI,CAAC,sBAAsB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE,CAAC;IACrF,MAAM,aAAa,GAAG,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;IACzF,MAAM,OAAO,GAAG,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,gBAAgB,GACpB,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;IAElF,IAAI,CAAC,MAAM,IAAI,CAAC,qBAAqB,IAAI,CAAC,aAAa,IAAI,CAAC,OAAO,EAAE,CAAC;QACpE,OAAO,IAAI,CACT,mBAAmB,EACnB,+FAA+F,CAChG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM;QACN,qBAAqB;QACrB,aAAa;QACb,OAAO;QACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClD,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,MAAoB;IAClC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAChB,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAClB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -29,12 +29,12 @@ export declare class CommentHandler {
|
|
|
29
29
|
*
|
|
30
30
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
31
31
|
*/
|
|
32
|
-
createComment(postId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, parentCommentId?: string): Promise<Response>;
|
|
32
|
+
createComment(postId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string, parentCommentId?: string): Promise<Response>;
|
|
33
33
|
/**
|
|
34
34
|
* Create a reply to an existing comment
|
|
35
35
|
* Uses the existing createComment() logic with parentCommentId
|
|
36
36
|
*/
|
|
37
|
-
createReply(parentCommentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
|
|
37
|
+
createReply(parentCommentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
|
|
38
38
|
/**
|
|
39
39
|
* Get comments for a post
|
|
40
40
|
*
|
|
@@ -43,32 +43,32 @@ export declare class CommentHandler {
|
|
|
43
43
|
getComments(postId: string, request: Request, session: Session, options: {
|
|
44
44
|
limit?: number;
|
|
45
45
|
cursor?: string;
|
|
46
|
-
}, env: Env, requestContext: RequestContext): Promise<Response>;
|
|
46
|
+
}, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
|
|
47
47
|
/**
|
|
48
48
|
* Hide a comment
|
|
49
49
|
*
|
|
50
50
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
51
51
|
*/
|
|
52
|
-
hideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
|
|
52
|
+
hideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
|
|
53
53
|
/**
|
|
54
54
|
* Unhide a comment
|
|
55
55
|
*
|
|
56
56
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
57
57
|
*/
|
|
58
|
-
unhideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
|
|
58
|
+
unhideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
|
|
59
59
|
/**
|
|
60
60
|
* Edit a comment (15-minute window)
|
|
61
61
|
*
|
|
62
62
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
63
63
|
*/
|
|
64
|
-
editComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
|
|
64
|
+
editComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
|
|
65
65
|
/**
|
|
66
66
|
* Delete a comment (soft delete)
|
|
67
67
|
*
|
|
68
68
|
* Author or post owner can delete.
|
|
69
69
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
70
70
|
*/
|
|
71
|
-
deleteComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
|
|
71
|
+
deleteComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
|
|
72
72
|
/**
|
|
73
73
|
* Invalidate comment cache
|
|
74
74
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"comment-handler.d.ts","sourceRoot":"","sources":["../../src/lib/comment-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAA6B,MAAM,4BAA4B,CAAC;AAczF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,WAAW,GAAG;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,GAAG,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,KAAK,CAAC;QACZ,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;CACJ;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,iBAAiB,CAAoB;;IAO7C;;;;OAIG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,QAAQ,CAAC;
|
|
1
|
+
{"version":3,"file":"comment-handler.d.ts","sourceRoot":"","sources":["../../src/lib/comment-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAA6B,MAAM,4BAA4B,CAAC;AAczF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,WAAW,GAAG;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,GAAG,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,KAAK,CAAC;QACZ,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;CACJ;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,iBAAiB,CAAoB;;IAO7C;;;;OAIG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,EACtB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,QAAQ,CAAC;IAuepB;;;OAGG;IACG,WAAW,CACf,eAAe,EAAE,MAAM,EACvB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAmEpB;;;;OAIG;IACG,WAAW,CACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,EAC5C,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IA0LpB;;;;OAIG;IACG,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAoGpB;;;;OAIG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAoGpB;;;;OAIG;IACG,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAqKpB;;;;;OAKG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IA4GpB;;OAEG;YACW,sBAAsB;CAgBrC"}
|
|
@@ -56,7 +56,7 @@ class CommentHandler {
|
|
|
56
56
|
*
|
|
57
57
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
58
58
|
*/
|
|
59
|
-
async createComment(postId, request, session, env, requestContext, parentCommentId) {
|
|
59
|
+
async createComment(postId, request, session, env, requestContext, activeTenantId, parentCommentId) {
|
|
60
60
|
try {
|
|
61
61
|
// Validate request body with Zod schema
|
|
62
62
|
const { validateRequest } = await Promise.resolve().then(() => __importStar(require("./validate-request")));
|
|
@@ -179,8 +179,8 @@ class CommentHandler {
|
|
|
179
179
|
if (parentCommentId) {
|
|
180
180
|
// Fetch parent comment to get thread context
|
|
181
181
|
const parentComment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
|
|
182
|
-
return await db.postComment.
|
|
183
|
-
where: { id: parentCommentId },
|
|
182
|
+
return await db.postComment.findFirst({
|
|
183
|
+
where: { id: parentCommentId, tenantId: activeTenantId },
|
|
184
184
|
select: {
|
|
185
185
|
id: true,
|
|
186
186
|
postId: true,
|
|
@@ -226,6 +226,7 @@ class CommentHandler {
|
|
|
226
226
|
return await db.postComment.findFirst({
|
|
227
227
|
where: {
|
|
228
228
|
postId: post.id,
|
|
229
|
+
tenantId: activeTenantId,
|
|
229
230
|
authorId: session.userId,
|
|
230
231
|
text: sanitizedText.trim(),
|
|
231
232
|
createdAt: { gte: fiveMinutesAgo },
|
|
@@ -278,6 +279,7 @@ class CommentHandler {
|
|
|
278
279
|
hasBlockedLinks: hasBlockedLinks,
|
|
279
280
|
rootUri: rootUri,
|
|
280
281
|
replyToUri: replyToUri,
|
|
282
|
+
tenantId: activeTenantId,
|
|
281
283
|
},
|
|
282
284
|
});
|
|
283
285
|
}, {
|
|
@@ -404,15 +406,15 @@ class CommentHandler {
|
|
|
404
406
|
* Create a reply to an existing comment
|
|
405
407
|
* Uses the existing createComment() logic with parentCommentId
|
|
406
408
|
*/
|
|
407
|
-
async createReply(parentCommentId, request, session, env, requestContext) {
|
|
409
|
+
async createReply(parentCommentId, request, session, env, requestContext, activeTenantId) {
|
|
408
410
|
try {
|
|
409
411
|
// Fetch parent comment to get postId and validate it exists
|
|
410
412
|
const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
|
|
411
413
|
const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
|
|
412
414
|
const region = requestContext.region;
|
|
413
415
|
const parentComment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
|
|
414
|
-
return await db.postComment.
|
|
415
|
-
where: { id: parentCommentId },
|
|
416
|
+
return await db.postComment.findFirst({
|
|
417
|
+
where: { id: parentCommentId, tenantId: activeTenantId },
|
|
416
418
|
select: { postId: true, deletedAt: true },
|
|
417
419
|
});
|
|
418
420
|
}, {
|
|
@@ -432,7 +434,7 @@ class CommentHandler {
|
|
|
432
434
|
return new Response(JSON.stringify({ error: "Cannot reply to deleted comment" }), { status: 400, headers: { "content-type": "application/json" } });
|
|
433
435
|
}
|
|
434
436
|
// Delegate to createComment() with parentCommentId
|
|
435
|
-
return this.createComment(parentComment.postId, request, session, env, requestContext, parentCommentId);
|
|
437
|
+
return this.createComment(parentComment.postId, request, session, env, requestContext, activeTenantId, parentCommentId);
|
|
436
438
|
}
|
|
437
439
|
catch (error) {
|
|
438
440
|
const { Logger } = await Promise.resolve().then(() => __importStar(require("./logger")));
|
|
@@ -445,7 +447,7 @@ class CommentHandler {
|
|
|
445
447
|
*
|
|
446
448
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
447
449
|
*/
|
|
448
|
-
async getComments(postId, request, session, options, env, requestContext) {
|
|
450
|
+
async getComments(postId, request, session, options, env, requestContext, activeTenantId) {
|
|
449
451
|
try {
|
|
450
452
|
// PREPARATORY: Use DataRouter to get region-specific database
|
|
451
453
|
const region = requestContext.region;
|
|
@@ -468,6 +470,7 @@ class CommentHandler {
|
|
|
468
470
|
return await db.postComment.findMany({
|
|
469
471
|
where: {
|
|
470
472
|
postId,
|
|
473
|
+
tenantId: activeTenantId,
|
|
471
474
|
hiddenByPostOwner: false,
|
|
472
475
|
deletedAt: null, // Filter out soft-deleted comments
|
|
473
476
|
...(cursor && { createdAt: { lt: cursor } }),
|
|
@@ -585,7 +588,7 @@ class CommentHandler {
|
|
|
585
588
|
*
|
|
586
589
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
587
590
|
*/
|
|
588
|
-
async hideComment(commentId, request, session, env, requestContext) {
|
|
591
|
+
async hideComment(commentId, request, session, env, requestContext, activeTenantId) {
|
|
589
592
|
try {
|
|
590
593
|
// PREPARATORY: Use DataRouter to get region-specific database
|
|
591
594
|
const region = requestContext.region;
|
|
@@ -593,8 +596,8 @@ class CommentHandler {
|
|
|
593
596
|
const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
|
|
594
597
|
const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
|
|
595
598
|
const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
|
|
596
|
-
return await db.postComment.
|
|
597
|
-
where: { id: commentId },
|
|
599
|
+
return await db.postComment.findFirst({
|
|
600
|
+
where: { id: commentId, tenantId: activeTenantId },
|
|
598
601
|
include: { post: true },
|
|
599
602
|
});
|
|
600
603
|
}, {
|
|
@@ -662,7 +665,7 @@ class CommentHandler {
|
|
|
662
665
|
*
|
|
663
666
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
664
667
|
*/
|
|
665
|
-
async unhideComment(commentId, request, session, env, requestContext) {
|
|
668
|
+
async unhideComment(commentId, request, session, env, requestContext, activeTenantId) {
|
|
666
669
|
try {
|
|
667
670
|
// PREPARATORY: Use DataRouter to get region-specific database
|
|
668
671
|
const region = requestContext.region;
|
|
@@ -670,8 +673,8 @@ class CommentHandler {
|
|
|
670
673
|
const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
|
|
671
674
|
const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
|
|
672
675
|
const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
|
|
673
|
-
return await db.postComment.
|
|
674
|
-
where: { id: commentId },
|
|
676
|
+
return await db.postComment.findFirst({
|
|
677
|
+
where: { id: commentId, tenantId: activeTenantId },
|
|
675
678
|
include: { post: true },
|
|
676
679
|
});
|
|
677
680
|
}, {
|
|
@@ -736,7 +739,7 @@ class CommentHandler {
|
|
|
736
739
|
*
|
|
737
740
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
738
741
|
*/
|
|
739
|
-
async editComment(commentId, request, session, env, requestContext) {
|
|
742
|
+
async editComment(commentId, request, session, env, requestContext, activeTenantId) {
|
|
740
743
|
try {
|
|
741
744
|
// Validate request body
|
|
742
745
|
const { validateRequest } = await Promise.resolve().then(() => __importStar(require("./validate-request")));
|
|
@@ -754,8 +757,8 @@ class CommentHandler {
|
|
|
754
757
|
const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
|
|
755
758
|
// Get comment with post info
|
|
756
759
|
const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
|
|
757
|
-
return await db.postComment.
|
|
758
|
-
where: { id: commentId },
|
|
760
|
+
return await db.postComment.findFirst({
|
|
761
|
+
where: { id: commentId, tenantId: activeTenantId },
|
|
759
762
|
include: { post: { select: { id: true, authorId: true } } },
|
|
760
763
|
});
|
|
761
764
|
}, {
|
|
@@ -859,15 +862,15 @@ class CommentHandler {
|
|
|
859
862
|
* Author or post owner can delete.
|
|
860
863
|
* PREPARATORY: Uses DataRouter for region-aware operations.
|
|
861
864
|
*/
|
|
862
|
-
async deleteComment(commentId, request, session, env, requestContext) {
|
|
865
|
+
async deleteComment(commentId, request, session, env, requestContext, activeTenantId) {
|
|
863
866
|
try {
|
|
864
867
|
const region = requestContext.region;
|
|
865
868
|
const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
|
|
866
869
|
const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
|
|
867
870
|
// Get comment with post info
|
|
868
871
|
const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
|
|
869
|
-
return await db.postComment.
|
|
870
|
-
where: { id: commentId },
|
|
872
|
+
return await db.postComment.findFirst({
|
|
873
|
+
where: { id: commentId, tenantId: activeTenantId },
|
|
871
874
|
include: {
|
|
872
875
|
post: { select: { id: true, authorId: true } },
|
|
873
876
|
},
|