@discover-cloud/shared 1.2.4 → 1.2.5

package/dist/middleware/index.d.ts

@@ -5,3 +5,4 @@ export * from "./authorize.middleware";
 export * from "./validated-merge.middleware";
 export * from "./require-internal.middleware";
 export * from "./require-auth.middleware";
+export * from "./require-human.middleware";

package/dist/middleware/index.js

@@ -21,3 +21,4 @@ __exportStar(require("./authorize.middleware"), exports);
 __exportStar(require("./validated-merge.middleware"), exports);
 __exportStar(require("./require-internal.middleware"), exports);
 __exportStar(require("./require-auth.middleware"), exports);
+__exportStar(require("./require-human.middleware"), exports);

package/dist/middleware/require-auth.middleware.d.ts

@@ -40,7 +40,7 @@ import { InternalJwtVerifier } from "../jwt/internal-jwt-verifier";
  *   const requireAuth = new RequireAuthMiddleware(jwtVerifier, logger);
  *   router.use(requireAuth.handle);
  */
-export declare class RequireAuthMiddleware {
+export declare class requireAuth {
     private readonly verifier;
     private readonly logger;
     constructor(verifier: InternalJwtVerifier, logger?: ILogger);

package/dist/middleware/require-auth.middleware.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RequireAuthMiddleware = void 0;
+exports.requireAuth = void 0;
 const jose_1 = require("jose");
 const utils_1 = require("../utils");
 const internal_jwt_verifier_1 = require("../jwt/internal-jwt-verifier");
@@ -42,7 +42,7 @@ const utils_2 = require("../utils");
  *   const requireAuth = new RequireAuthMiddleware(jwtVerifier, logger);
  *   router.use(requireAuth.handle);
  */
-class RequireAuthMiddleware {
+class requireAuth {
     constructor(verifier, logger = utils_1.noopLogger) {
         this.verifier = verifier;
         this.logger = logger;
@@ -160,4 +160,4 @@ class RequireAuthMiddleware {
         (0, utils_2.failure)(res, req, "Authentication service is temporarily unavailable.", "SERVICE_UNAVAILABLE", 503);
     }
 }
-exports.RequireAuthMiddleware = RequireAuthMiddleware;
+exports.requireAuth = requireAuth;

package/dist/middleware/require-human.middleware.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response, NextFunction } from "express";
+export declare const requireHuman: (req: Request, res: Response, next: NextFunction) => void;

package/dist/middleware/require-human.middleware.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireHuman = void 0;
+const utils_1 = require("../utils");
+const types_1 = require("../types");
+const requireHuman = (req, res, next) => {
+    const ctx = req.accessContext;
+    if (!ctx) {
+        (0, utils_1.failure)(res, req, "Unauthorized: No access context", "UNAUTHORIZED", 401);
+        return;
+    }
+    if (!(0, types_1.isHumanContext)(ctx)) {
+        (0, utils_1.failure)(res, req, "Human token required", "FORBIDDEN", 403);
+        return;
+    }
+    next();
+};
+exports.requireHuman = requireHuman;

package/dist/middleware/require-internal.middleware.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.requireInternal = requireInternal;
 const jose = __importStar(require("jose"));
+const types_1 = require("../types");
 const logger_utils_1 = require("../utils/logger.utils");
 /**
  * REQUIRE INTERNAL MIDDLEWARE  (@discover-cloud/shared)
@@ -125,14 +126,20 @@ function requireInternal(options = {}) {
                 });
                 return;
             }
-            const serviceId = payload["serviceId"];
-            if (typeof serviceId !== "string") {
+            try {
+                (0, types_1.assertMachinePayload)(payload);
+            }
+            catch {
                 res.status(401).json({
                     success: false,
-                    error: { code: "INVALID_TOKEN", message: "Token missing serviceId" },
+                    error: {
+                        code: "INVALID_TOKEN",
+                        message: "Invalid machine token payload",
+                    },
                 });
                 return;
             }
+            const serviceId = payload.serviceId;
             // Allowlist — tightest possible scope per endpoint
             if (allowedServices && !allowedServices.includes(serviceId)) {
                 logger.warn({ requestId: req.id, serviceId }, "[requireInternal] serviceId not in allowlist");
@@ -143,6 +150,7 @@ function requireInternal(options = {}) {
                 return;
             }
             const context = { kind: "machine", serviceId };
+            req.internalAuth = payload;
             req.accessContext = context;
             logger.debug({ requestId: req.id, serviceId, jti: payload.jti }, "[requireInternal] Machine token verified");
             next();

package/dist/types/express.types.d.ts

@@ -96,6 +96,14 @@ export interface MachineAccessContext {
 export type AccessContext = HumanAccessContext | MachineAccessContext;
 export declare function isHumanPayload(payload: InternalJwtPayload): payload is HumanInternalJwtPayload;
 export declare function isMachinePayload(payload: InternalJwtPayload): payload is MachineInternalJwtPayload;
+/**
+ * Runtime assertion for jose.jwtVerify() results.
+ *
+ * jose returns a generic JWTPayload because it cannot know
+ * our custom claims. After verification + this assertion,
+ * TypeScript safely treats it as MachineInternalJwtPayload.
+ */
+export declare function assertMachinePayload(payload: JWTPayload): asserts payload is MachineInternalJwtPayload;
 export declare function isHumanContext(ctx: AccessContext): ctx is HumanAccessContext;
 export declare function isMachineContext(ctx: AccessContext): ctx is MachineAccessContext;
 export interface VerifiedAccessPayload {

package/dist/types/express.types.js

@@ -20,6 +20,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isHumanPayload = isHumanPayload;
 exports.isMachinePayload = isMachinePayload;
+exports.assertMachinePayload = assertMachinePayload;
 exports.isHumanContext = isHumanContext;
 exports.isMachineContext = isMachineContext;
 /* ====================================================================
@@ -35,6 +36,22 @@ function isHumanPayload(payload) {
 function isMachinePayload(payload) {
     return payload.isMachine === true;
 }
+/**
+ * Runtime assertion for jose.jwtVerify() results.
+ *
+ * jose returns a generic JWTPayload because it cannot know
+ * our custom claims. After verification + this assertion,
+ * TypeScript safely treats it as MachineInternalJwtPayload.
+ */
+function assertMachinePayload(payload) {
+    if (payload["typ"] !== "internal" ||
+        payload["isMachine"] !== true ||
+        typeof payload["serviceId"] !== "string" ||
+        typeof payload["jti"] !== "string" ||
+        typeof payload["caller"] !== "string") {
+        throw new Error("Invalid machine JWT payload");
+    }
+}
 function isHumanContext(ctx) {
     return ctx.kind === "human";
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@discover-cloud/shared",
-  "version": "1.2.4",
+  "version": "1.2.5",
   "private": false,
   "type": "commonjs",
   "main": "dist/index.js",