@eldrin-project/eldrin-app-core 0.0.1 → 0.0.2

package/dist/index.cjs

@@ -559,18 +559,430 @@ function createApp(options) {
   };
 }
 
+// src/events/client.ts
+var EldrinEventClient = class {
+  appId;
+  coreApiUrl;
+  constructor(config) {
+    this.appId = config.appId;
+    this.coreApiUrl = config.coreApiUrl.replace(/\/$/, "");
+  }
+  /**
+   * Emit an event to the event bus
+   *
+   * @param type - Event type (must be declared in app's manifest emits)
+   * @param payload - Event payload data
+   * @param options - Optional emit configuration
+   * @returns Result containing the event ID
+   * @throws Error if app is not authorized to emit this event type
+   */
+  async emit(type, payload, options = {}) {
+    const response = await fetch(`${this.coreApiUrl}/api/events/emit`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Eldrin-App-Id": this.appId
+      },
+      body: JSON.stringify({
+        type,
+        payload,
+        version: options.version ?? 1,
+        idempotencyKey: options.idempotencyKey
+      })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({ error: "Unknown error" }));
+      throw new Error(errorData.error || `Failed to emit event: ${response.status}`);
+    }
+    return response.json();
+  }
+  /**
+   * Poll for pending events
+   *
+   * @param options - Optional polling configuration
+   * @returns List of pending event deliveries
+   */
+  async poll(options = {}) {
+    const params = new URLSearchParams();
+    if (options.limit) params.set("limit", String(options.limit));
+    if (options.types?.length) params.set("types", options.types.join(","));
+    const url = `${this.coreApiUrl}/api/events/poll${params.toString() ? `?${params}` : ""}`;
+    const response = await fetch(url, {
+      headers: {
+        "X-Eldrin-App-Id": this.appId
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to poll events: ${response.status}`);
+    }
+    return response.json();
+  }
+  /**
+   * Acknowledge successful event processing
+   *
+   * @param deliveryId - The delivery record ID to acknowledge
+   */
+  async ack(deliveryId) {
+    const response = await fetch(`${this.coreApiUrl}/api/events/ack`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Eldrin-App-Id": this.appId
+      },
+      body: JSON.stringify({ deliveryId })
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to acknowledge event: ${response.status}`);
+    }
+  }
+  /**
+   * Negative acknowledge - event will be retried later
+   *
+   * @param deliveryId - The delivery record ID
+   * @param error - Optional error message for logging
+   */
+  async nack(deliveryId, error) {
+    const response = await fetch(`${this.coreApiUrl}/api/events/nack`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Eldrin-App-Id": this.appId
+      },
+      body: JSON.stringify({ deliveryId, error })
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to nack event: ${response.status}`);
+    }
+  }
+  /**
+   * Get all registered event types
+   *
+   * @returns List of all registered event types across all apps
+   */
+  async getEventTypes() {
+    const response = await fetch(`${this.coreApiUrl}/api/events/types`, {
+      headers: {
+        "X-Eldrin-App-Id": this.appId
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to get event types: ${response.status}`);
+    }
+    const data = await response.json();
+    return data.types;
+  }
+  /**
+   * Get subscriptions for this app
+   *
+   * @returns List of active subscriptions
+   */
+  async getSubscriptions() {
+    const response = await fetch(`${this.coreApiUrl}/api/events/subscriptions`, {
+      headers: {
+        "X-Eldrin-App-Id": this.appId
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to get subscriptions: ${response.status}`);
+    }
+    const data = await response.json();
+    return data.subscriptions;
+  }
+};
+function createEventClient(env, appId) {
+  const coreApiUrl = env.ELDRIN_CORE_URL || "http://localhost:4000";
+  return new EldrinEventClient({ appId, coreApiUrl });
+}
+
+// src/auth/index.ts
+var AUTH_HEADERS = {
+  USER_ID: "x-eldrin-user-id",
+  USER_EMAIL: "x-eldrin-user-email",
+  USER_NAME: "x-eldrin-user-name",
+  USER_ROLES: "x-eldrin-user-roles",
+  USER_PERMISSIONS: "x-eldrin-user-permissions"
+};
+function base64UrlDecode(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function verifyJWTSignature(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    return { valid: false, error: "Invalid JWT format" };
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  try {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(secret);
+    const key = await crypto.subtle.importKey(
+      "raw",
+      keyData,
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    const signedData = encoder.encode(`${headerB64}.${payloadB64}`);
+    const signature = base64UrlDecode(signatureB64);
+    const isValid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      signature.buffer,
+      signedData
+    );
+    if (!isValid) {
+      return { valid: false, error: "Invalid signature" };
+    }
+    const payloadJson = new TextDecoder().decode(base64UrlDecode(payloadB64));
+    const payload = JSON.parse(payloadJson);
+    const now = Date.now();
+    if (payload.exp && payload.exp < now) {
+      return { valid: false, error: "Token expired" };
+    }
+    return { valid: true, payload };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "JWT verification failed"
+    };
+  }
+}
+function extractAppPermissions(payload, appId, developerId) {
+  const permissions = [];
+  for (const [key, perms] of Object.entries(payload.appPermissions)) {
+    if (developerId) {
+      if (key === `${developerId}:${appId}`) {
+        permissions.push(...perms);
+      }
+    } else {
+      if (key.endsWith(`:${appId}`)) {
+        permissions.push(...perms);
+      }
+    }
+  }
+  return permissions;
+}
+function jwtPayloadToAuthContext(payload, appId, developerId) {
+  return {
+    userId: payload.sub,
+    email: payload.email,
+    name: `${payload.firstName} ${payload.lastName}`.trim(),
+    platformRoles: payload.platformRoles,
+    permissions: extractAppPermissions(payload, appId, developerId)
+  };
+}
+async function verifyJWT(request, options) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader) {
+    return { success: false, error: "Missing Authorization header" };
+  }
+  if (!authHeader.startsWith("Bearer ")) {
+    return { success: false, error: "Invalid Authorization header format" };
+  }
+  const token = authHeader.slice(7);
+  const result = await verifyJWTSignature(token, options.secret);
+  if (!result.valid || !result.payload) {
+    return { success: false, error: result.error || "JWT verification failed" };
+  }
+  const auth = jwtPayloadToAuthContext(result.payload, options.appId, options.developerId);
+  return { success: true, auth };
+}
+async function getAuthContextFromJWT(request, options) {
+  const authHeader = request.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    const result = await verifyJWT(request, options);
+    if (result.success) {
+      return result.auth;
+    }
+    return null;
+  }
+  return getAuthContext(request);
+}
+async function requireJWTAuth(request, options) {
+  const auth = await getAuthContextFromJWT(request, options);
+  if (!auth) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return auth;
+}
+async function requireJWTPermission(request, options, resource, action) {
+  const auth = await requireJWTAuth(request, options);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  if (!hasPermission(auth, resource, action)) {
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing permission: ${resource}:${action}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+function getAuthContext(request) {
+  const userId = request.headers.get(AUTH_HEADERS.USER_ID);
+  if (!userId) {
+    return null;
+  }
+  const email = request.headers.get(AUTH_HEADERS.USER_EMAIL) || "";
+  const name = request.headers.get(AUTH_HEADERS.USER_NAME) || "";
+  const rolesHeader = request.headers.get(AUTH_HEADERS.USER_ROLES) || "";
+  const permissionsHeader = request.headers.get(AUTH_HEADERS.USER_PERMISSIONS) || "";
+  return {
+    userId,
+    email,
+    name,
+    platformRoles: rolesHeader ? rolesHeader.split(",").map((r) => r.trim()) : [],
+    permissions: permissionsHeader ? permissionsHeader.split(",").map((p) => p.trim()) : []
+  };
+}
+function requireAuth(request) {
+  const auth = getAuthContext(request);
+  if (!auth) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return auth;
+}
+function hasPermission(auth, resource, action) {
+  const required = `${resource}:${action}`;
+  if (auth.permissions.includes(required)) {
+    return true;
+  }
+  if (auth.permissions.includes(`${resource}:*`)) {
+    return true;
+  }
+  if (auth.permissions.includes("*:*")) {
+    return true;
+  }
+  return false;
+}
+function hasPlatformRole(auth, role) {
+  return auth.platformRoles.includes(role);
+}
+function isPlatformAdmin(auth) {
+  return auth.platformRoles.includes("admin");
+}
+function requirePermission(request, resource, action) {
+  const auth = requireAuth(request);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  if (!hasPermission(auth, resource, action)) {
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing permission: ${resource}:${action}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+function requireAnyPermission(request, permissions) {
+  const auth = requireAuth(request);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  const hasAny = permissions.some(
+    ([resource, action]) => hasPermission(auth, resource, action)
+  );
+  if (!hasAny) {
+    const permList = permissions.map(([r, a]) => `${r}:${a}`).join(", ");
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing one of permissions: ${permList}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+function requireAllPermissions(request, permissions) {
+  const auth = requireAuth(request);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  const missing = permissions.filter(
+    ([resource, action]) => !hasPermission(auth, resource, action)
+  );
+  if (missing.length > 0) {
+    const permList = missing.map(([r, a]) => `${r}:${a}`).join(", ");
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing permissions: ${permList}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+
+exports.AUTH_HEADERS = AUTH_HEADERS;
 exports.CHECKSUM_PREFIX = CHECKSUM_PREFIX;
 exports.DatabaseProvider = DatabaseProvider;
+exports.EldrinEventClient = EldrinEventClient;
 exports.calculateChecksum = calculateChecksum;
 exports.calculatePrefixedChecksum = calculatePrefixedChecksum;
 exports.createApp = createApp;
+exports.createEventClient = createEventClient;
 exports.extractTimestamp = extractTimestamp;
 exports.generateMigrationManifest = generateMigrationManifest;
+exports.getAuthContext = getAuthContext;
+exports.getAuthContextFromJWT = getAuthContextFromJWT;
 exports.getMigrationStatus = getMigrationStatus;
 exports.getRollbackFilename = getRollbackFilename;
+exports.hasPermission = hasPermission;
+exports.hasPlatformRole = hasPlatformRole;
+exports.isPlatformAdmin = isPlatformAdmin;
 exports.isValidMigrationFilename = isValidMigrationFilename;
 exports.isValidRollbackFilename = isValidRollbackFilename;
 exports.parseSQLStatements = parseSQLStatements;
+exports.requireAllPermissions = requireAllPermissions;
+exports.requireAnyPermission = requireAnyPermission;
+exports.requireAuth = requireAuth;
+exports.requireJWTAuth = requireJWTAuth;
+exports.requireJWTPermission = requireJWTPermission;
+exports.requirePermission = requirePermission;
 exports.rollbackMigrations = rollbackMigrations;
 exports.runMigrations = runMigrations;
 exports.useDatabase = useDatabase;
@@ -578,5 +990,6 @@ exports.useDatabaseContext = useDatabaseContext;
 exports.useMigrationsComplete = useMigrationsComplete;
 exports.validateMigrationManifest = validateMigrationManifest;
 exports.verifyChecksum = verifyChecksum;
+exports.verifyJWT = verifyJWT;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map