@drmhse/authos-node 0.1.0

package/dist/express.mjs

@@ -0,0 +1,373 @@
+import * as crypto from 'crypto';
+
+// src/jwks.ts
+var jwksCache = /* @__PURE__ */ new Map();
+var DEFAULT_CACHE_TTL = 60 * 60 * 1e3;
+function base64UrlDecode(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  const padded = pad ? base64 + "=".repeat(4 - pad) : base64;
+  return Buffer.from(padded, "base64");
+}
+function jwkToPem(jwk) {
+  if (jwk.kty !== "RSA" || !jwk.n || !jwk.e) {
+    throw new Error("Only RSA keys are supported");
+  }
+  const n = base64UrlDecode(jwk.n);
+  const e = base64UrlDecode(jwk.e);
+  const nInt = encodeASN1Integer(n);
+  const eInt = encodeASN1Integer(e);
+  const rsaPublicKey = encodeASN1Sequence(Buffer.concat([nInt, eInt]));
+  const bitString = Buffer.concat([
+    Buffer.from([3]),
+    encodeASN1Length(rsaPublicKey.length + 1),
+    Buffer.from([0]),
+    // no unused bits
+    rsaPublicKey
+  ]);
+  const algorithmIdentifier = Buffer.from([
+    48,
+    13,
+    // SEQUENCE
+    6,
+    9,
+    // OID
+    42,
+    134,
+    72,
+    134,
+    247,
+    13,
+    1,
+    1,
+    1,
+    // 1.2.840.113549.1.1.1
+    5,
+    0
+    // NULL
+  ]);
+  const subjectPublicKeyInfo = encodeASN1Sequence(
+    Buffer.concat([algorithmIdentifier, bitString])
+  );
+  const base64Key = subjectPublicKeyInfo.toString("base64");
+  const lines = base64Key.match(/.{1,64}/g) || [];
+  return `-----BEGIN PUBLIC KEY-----
+${lines.join("\n")}
+-----END PUBLIC KEY-----`;
+}
+function encodeASN1Length(length) {
+  if (length < 128) {
+    return Buffer.from([length]);
+  }
+  const bytes = [];
+  let len = length;
+  while (len > 0) {
+    bytes.unshift(len & 255);
+    len = len >> 8;
+  }
+  return Buffer.from([128 | bytes.length, ...bytes]);
+}
+function encodeASN1Integer(value) {
+  const needsPadding = value[0] & 128;
+  const content = needsPadding ? Buffer.concat([Buffer.from([0]), value]) : value;
+  return Buffer.concat([
+    Buffer.from([2]),
+    // INTEGER tag
+    encodeASN1Length(content.length),
+    content
+  ]);
+}
+function encodeASN1Sequence(content) {
+  return Buffer.concat([
+    Buffer.from([48]),
+    // SEQUENCE tag
+    encodeASN1Length(content.length),
+    content
+  ]);
+}
+async function fetchJWKS(baseURL) {
+  const url = `${baseURL.replace(/\/$/, "")}/.well-known/jwks.json`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status} ${response.statusText}`);
+  }
+  return response.json();
+}
+async function getJWKS(baseURL, cacheTTL) {
+  const cached = jwksCache.get(baseURL);
+  const now = Date.now();
+  if (cached && now - cached.fetchedAt < cacheTTL) {
+    return cached.jwks;
+  }
+  const jwks = await fetchJWKS(baseURL);
+  jwksCache.set(baseURL, { jwks, fetchedAt: now });
+  return jwks;
+}
+function findKey(jwks, kid) {
+  return jwks.keys.find((key) => key.kid === kid) || null;
+}
+var TokenVerificationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "TokenVerificationError";
+  }
+};
+function parseJWT(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new TokenVerificationError("Invalid JWT format", "INVALID_TOKEN_FORMAT");
+  }
+  try {
+    const header = JSON.parse(base64UrlDecode(parts[0]).toString("utf8"));
+    const payload = JSON.parse(base64UrlDecode(parts[1]).toString("utf8"));
+    return { header, payload };
+  } catch {
+    throw new TokenVerificationError("Invalid JWT encoding", "INVALID_TOKEN_FORMAT");
+  }
+}
+function createTokenVerifier(options) {
+  const { baseURL, jwksCacheTTL = DEFAULT_CACHE_TTL } = options;
+  async function verifyToken(token, verifyOptions = {}) {
+    const { audience, issuer, clockTolerance = 0 } = verifyOptions;
+    const { header, payload } = parseJWT(token);
+    if (header.alg !== "RS256") {
+      throw new TokenVerificationError(
+        `Unsupported algorithm: ${header.alg}. Only RS256 is supported.`,
+        "INVALID_ALGORITHM"
+      );
+    }
+    const kid = header.kid;
+    if (!kid) {
+      throw new TokenVerificationError("Token missing kid header", "MISSING_KID");
+    }
+    const jwks = await getJWKS(baseURL, jwksCacheTTL);
+    const jwk = findKey(jwks, kid);
+    if (!jwk) {
+      const freshJwks = await fetchJWKS(baseURL);
+      jwksCache.set(baseURL, { jwks: freshJwks, fetchedAt: Date.now() });
+      const freshJwk = findKey(freshJwks, kid);
+      if (!freshJwk) {
+        throw new TokenVerificationError(
+          `No matching key found for kid: ${kid}`,
+          "KEY_NOT_FOUND"
+        );
+      }
+      return verifyWithKey(token, freshJwk, payload, { audience, issuer, clockTolerance });
+    }
+    return verifyWithKey(token, jwk, payload, { audience, issuer, clockTolerance });
+  }
+  return { verifyToken };
+}
+function verifyWithKey(token, jwk, payload, options) {
+  const { audience, issuer, clockTolerance } = options;
+  const pem = jwkToPem(jwk);
+  const parts = token.split(".");
+  const signatureInput = `${parts[0]}.${parts[1]}`;
+  const signature = base64UrlDecode(parts[2]);
+  const verifier = crypto.createVerify("RSA-SHA256");
+  verifier.update(signatureInput);
+  if (!verifier.verify(pem, signature)) {
+    throw new TokenVerificationError("Invalid token signature", "INVALID_SIGNATURE");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp && payload.exp + clockTolerance < now) {
+    throw new TokenVerificationError("Token has expired", "TOKEN_EXPIRED");
+  }
+  if (payload.iat && payload.iat - clockTolerance > now) {
+    throw new TokenVerificationError("Token is not yet valid", "TOKEN_NOT_YET_VALID");
+  }
+  if (audience) {
+    const tokenAud = payload.aud;
+    const validAud = Array.isArray(tokenAud) ? tokenAud.includes(audience) : tokenAud === audience;
+    if (!validAud) {
+      throw new TokenVerificationError("Invalid token audience", "INVALID_AUDIENCE");
+    }
+  }
+  if (issuer) {
+    const tokenIss = payload.iss;
+    if (tokenIss !== issuer) {
+      throw new TokenVerificationError("Invalid token issuer", "INVALID_ISSUER");
+    }
+  }
+  return { claims: payload, token };
+}
+
+// src/express/middleware.ts
+function extractBearerToken(req) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return null;
+  }
+  return authHeader.slice(7);
+}
+function createAuthMiddleware(options) {
+  const verifier = createTokenVerifier(options);
+  function requireAuth(authOptions = {}) {
+    const { getToken, ...verifyOptions } = authOptions;
+    return async (req, res, next) => {
+      try {
+        const token = getToken ? getToken(req) : extractBearerToken(req);
+        if (!token) {
+          res.status(401).json({
+            error: "Unauthorized",
+            message: "Missing authentication token",
+            code: "MISSING_TOKEN"
+          });
+          return;
+        }
+        const verified = await verifier.verifyToken(token, verifyOptions);
+        req.auth = verified;
+        next();
+      } catch (err) {
+        if (err instanceof TokenVerificationError) {
+          res.status(401).json({
+            error: "Unauthorized",
+            message: err.message,
+            code: err.code
+          });
+          return;
+        }
+        console.error("Auth middleware error:", err);
+        res.status(500).json({
+          error: "Internal Server Error",
+          message: "Authentication verification failed"
+        });
+      }
+    };
+  }
+  function requirePermission(permission, permOptions = {}) {
+    const { message = "Insufficient permissions" } = permOptions;
+    return (req, res, next) => {
+      if (!req.auth) {
+        res.status(401).json({
+          error: "Unauthorized",
+          message: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+        return;
+      }
+      const permissions = req.auth.claims.permissions || [];
+      const hasPermission = permissions.includes(permission);
+      if (!hasPermission) {
+        res.status(403).json({
+          error: "Forbidden",
+          message,
+          code: "PERMISSION_DENIED",
+          required: permission
+        });
+        return;
+      }
+      next();
+    };
+  }
+  function requireAnyPermission(permissions, permOptions = {}) {
+    const { message = "Insufficient permissions" } = permOptions;
+    return (req, res, next) => {
+      if (!req.auth) {
+        res.status(401).json({
+          error: "Unauthorized",
+          message: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+        return;
+      }
+      const userPermissions = req.auth.claims.permissions || [];
+      const hasAny = permissions.some((p) => userPermissions.includes(p));
+      if (!hasAny) {
+        res.status(403).json({
+          error: "Forbidden",
+          message,
+          code: "PERMISSION_DENIED",
+          required: permissions
+        });
+        return;
+      }
+      next();
+    };
+  }
+  function requireAllPermissions(permissions, permOptions = {}) {
+    const { message = "Insufficient permissions" } = permOptions;
+    return (req, res, next) => {
+      if (!req.auth) {
+        res.status(401).json({
+          error: "Unauthorized",
+          message: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+        return;
+      }
+      const userPermissions = req.auth.claims.permissions || [];
+      const hasAll = permissions.every((p) => userPermissions.includes(p));
+      if (!hasAll) {
+        const missing = permissions.filter((p) => !userPermissions.includes(p));
+        res.status(403).json({
+          error: "Forbidden",
+          message,
+          code: "PERMISSION_DENIED",
+          required: permissions,
+          missing
+        });
+        return;
+      }
+      next();
+    };
+  }
+  function requirePlatformOwner(permOptions = {}) {
+    const { message = "Platform owner access required" } = permOptions;
+    return (req, res, next) => {
+      if (!req.auth) {
+        res.status(401).json({
+          error: "Unauthorized",
+          message: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+        return;
+      }
+      if (!req.auth.claims.is_platform_owner) {
+        res.status(403).json({
+          error: "Forbidden",
+          message,
+          code: "NOT_PLATFORM_OWNER"
+        });
+        return;
+      }
+      next();
+    };
+  }
+  function requireOrganization(getOrgSlug, permOptions = {}) {
+    const { message = "Organization access required" } = permOptions;
+    return (req, res, next) => {
+      if (!req.auth) {
+        res.status(401).json({
+          error: "Unauthorized",
+          message: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+        return;
+      }
+      const requiredOrg = typeof getOrgSlug === "function" ? getOrgSlug(req) : getOrgSlug;
+      const userOrg = req.auth.claims.org;
+      if (!userOrg || userOrg !== requiredOrg) {
+        res.status(403).json({
+          error: "Forbidden",
+          message,
+          code: "WRONG_ORGANIZATION",
+          required: requiredOrg
+        });
+        return;
+      }
+      next();
+    };
+  }
+  return {
+    requireAuth,
+    requirePermission,
+    requireAnyPermission,
+    requireAllPermissions,
+    requirePlatformOwner,
+    requireOrganization
+  };
+}
+
+export { createAuthMiddleware };

package/dist/index.d.mts

@@ -0,0 +1,67 @@
+import { A as AuthOSNodeOptions, V as VerifyTokenOptions, a as VerifiedToken, W as WebhookVerifyOptions } from './types-C4aDSNcp.mjs';
+export { c as AuthenticatedRequest, J as JWK, b as JWKS, R as RequireAuthOptions, d as RequirePermissionOptions } from './types-C4aDSNcp.mjs';
+export { JwtClaims } from '@drmhse/sso-sdk';
+
+/**
+ * Error class for token verification failures
+ */
+declare class TokenVerificationError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Create a token verifier instance
+ */
+declare function createTokenVerifier(options: AuthOSNodeOptions): {
+    verifyToken: (token: string, verifyOptions?: VerifyTokenOptions) => Promise<VerifiedToken>;
+};
+/**
+ * Clear the JWKS cache (useful for testing)
+ */
+declare function clearJWKSCache(): void;
+
+/**
+ * Error class for webhook verification failures
+ */
+declare class WebhookVerificationError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Verify a webhook signature from AuthOS
+ *
+ * @param signatureHeader - The signature header value (e.g., from 'X-AuthOS-Signature' or 'Webhook-Signature')
+ * @param payload - The raw request body as a string
+ * @param secret - The webhook signing secret
+ * @param options - Verification options
+ * @returns true if signature is valid
+ * @throws WebhookVerificationError if verification fails
+ *
+ * @example
+ * ```typescript
+ * app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
+ *   const signature = req.headers['x-authos-signature'] as string;
+ *   const payload = req.body.toString();
+ *
+ *   try {
+ *     verifyWebhookSignature(signature, payload, process.env.WEBHOOK_SECRET!);
+ *     // Process webhook...
+ *     res.status(200).send('OK');
+ *   } catch (err) {
+ *     res.status(400).send('Invalid signature');
+ *   }
+ * });
+ * ```
+ */
+declare function verifyWebhookSignature(signatureHeader: string, payload: string, secret: string, options?: WebhookVerifyOptions): boolean;
+/**
+ * Create a webhook signature for testing purposes
+ *
+ * @param payload - The payload to sign
+ * @param secret - The signing secret
+ * @param timestamp - Optional timestamp (defaults to current time)
+ * @returns The signature header value
+ */
+declare function createWebhookSignature(payload: string, secret: string, timestamp?: number): string;
+
+export { AuthOSNodeOptions, TokenVerificationError, VerifiedToken, VerifyTokenOptions, WebhookVerificationError, WebhookVerifyOptions, clearJWKSCache, createTokenVerifier, createWebhookSignature, verifyWebhookSignature };

package/dist/index.d.ts

@@ -0,0 +1,67 @@
+import { A as AuthOSNodeOptions, V as VerifyTokenOptions, a as VerifiedToken, W as WebhookVerifyOptions } from './types-C4aDSNcp.js';
+export { c as AuthenticatedRequest, J as JWK, b as JWKS, R as RequireAuthOptions, d as RequirePermissionOptions } from './types-C4aDSNcp.js';
+export { JwtClaims } from '@drmhse/sso-sdk';
+
+/**
+ * Error class for token verification failures
+ */
+declare class TokenVerificationError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Create a token verifier instance
+ */
+declare function createTokenVerifier(options: AuthOSNodeOptions): {
+    verifyToken: (token: string, verifyOptions?: VerifyTokenOptions) => Promise<VerifiedToken>;
+};
+/**
+ * Clear the JWKS cache (useful for testing)
+ */
+declare function clearJWKSCache(): void;
+
+/**
+ * Error class for webhook verification failures
+ */
+declare class WebhookVerificationError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Verify a webhook signature from AuthOS
+ *
+ * @param signatureHeader - The signature header value (e.g., from 'X-AuthOS-Signature' or 'Webhook-Signature')
+ * @param payload - The raw request body as a string
+ * @param secret - The webhook signing secret
+ * @param options - Verification options
+ * @returns true if signature is valid
+ * @throws WebhookVerificationError if verification fails
+ *
+ * @example
+ * ```typescript
+ * app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
+ *   const signature = req.headers['x-authos-signature'] as string;
+ *   const payload = req.body.toString();
+ *
+ *   try {
+ *     verifyWebhookSignature(signature, payload, process.env.WEBHOOK_SECRET!);
+ *     // Process webhook...
+ *     res.status(200).send('OK');
+ *   } catch (err) {
+ *     res.status(400).send('Invalid signature');
+ *   }
+ * });
+ * ```
+ */
+declare function verifyWebhookSignature(signatureHeader: string, payload: string, secret: string, options?: WebhookVerifyOptions): boolean;
+/**
+ * Create a webhook signature for testing purposes
+ *
+ * @param payload - The payload to sign
+ * @param secret - The signing secret
+ * @param timestamp - Optional timestamp (defaults to current time)
+ * @returns The signature header value
+ */
+declare function createWebhookSignature(payload: string, secret: string, timestamp?: number): string;
+
+export { AuthOSNodeOptions, TokenVerificationError, VerifiedToken, VerifyTokenOptions, WebhookVerificationError, WebhookVerifyOptions, clearJWKSCache, createTokenVerifier, createWebhookSignature, verifyWebhookSignature };