@eldrin-project/eldrin-app-core 0.0.1 → 0.0.3

package/dist/index.cjs

@@ -559,18 +559,638 @@ function createApp(options) {
   };
 }
 
+// src/events/client.ts
+var EldrinEventClient = class {
+  appId;
+  coreApiUrl;
+  constructor(config) {
+    this.appId = config.appId;
+    this.coreApiUrl = config.coreApiUrl.replace(/\/$/, "");
+  }
+  /**
+   * Emit an event to the event bus
+   *
+   * @param type - Event type (must be declared in app's manifest emits)
+   * @param payload - Event payload data
+   * @param options - Optional emit configuration
+   * @returns Result containing the event ID
+   * @throws Error if app is not authorized to emit this event type
+   */
+  async emit(type, payload, options = {}) {
+    const response = await fetch(`${this.coreApiUrl}/api/events/emit`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Eldrin-App-Id": this.appId
+      },
+      body: JSON.stringify({
+        type,
+        payload,
+        version: options.version ?? 1,
+        idempotencyKey: options.idempotencyKey
+      })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({ error: "Unknown error" }));
+      throw new Error(errorData.error || `Failed to emit event: ${response.status}`);
+    }
+    return response.json();
+  }
+  /**
+   * Poll for pending events
+   *
+   * @param options - Optional polling configuration
+   * @returns List of pending event deliveries
+   */
+  async poll(options = {}) {
+    const params = new URLSearchParams();
+    if (options.limit) params.set("limit", String(options.limit));
+    if (options.types?.length) params.set("types", options.types.join(","));
+    const url = `${this.coreApiUrl}/api/events/poll${params.toString() ? `?${params}` : ""}`;
+    const response = await fetch(url, {
+      headers: {
+        "X-Eldrin-App-Id": this.appId
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to poll events: ${response.status}`);
+    }
+    return response.json();
+  }
+  /**
+   * Acknowledge successful event processing
+   *
+   * @param deliveryId - The delivery record ID to acknowledge
+   */
+  async ack(deliveryId) {
+    const response = await fetch(`${this.coreApiUrl}/api/events/ack`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Eldrin-App-Id": this.appId
+      },
+      body: JSON.stringify({ deliveryId })
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to acknowledge event: ${response.status}`);
+    }
+  }
+  /**
+   * Negative acknowledge - event will be retried later
+   *
+   * @param deliveryId - The delivery record ID
+   * @param error - Optional error message for logging
+   */
+  async nack(deliveryId, error) {
+    const response = await fetch(`${this.coreApiUrl}/api/events/nack`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-Eldrin-App-Id": this.appId
+      },
+      body: JSON.stringify({ deliveryId, error })
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to nack event: ${response.status}`);
+    }
+  }
+  /**
+   * Get all registered event types
+   *
+   * @returns List of all registered event types across all apps
+   */
+  async getEventTypes() {
+    const response = await fetch(`${this.coreApiUrl}/api/events/types`, {
+      headers: {
+        "X-Eldrin-App-Id": this.appId
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to get event types: ${response.status}`);
+    }
+    const data = await response.json();
+    return data.types;
+  }
+  /**
+   * Get subscriptions for this app
+   *
+   * @returns List of active subscriptions
+   */
+  async getSubscriptions() {
+    const response = await fetch(`${this.coreApiUrl}/api/events/subscriptions`, {
+      headers: {
+        "X-Eldrin-App-Id": this.appId
+      }
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to get subscriptions: ${response.status}`);
+    }
+    const data = await response.json();
+    return data.subscriptions;
+  }
+};
+function createEventClient(env, appId) {
+  const coreApiUrl = env.ELDRIN_CORE_URL || "http://localhost:4000";
+  return new EldrinEventClient({ appId, coreApiUrl });
+}
+
+// src/auth/index.ts
+var AUTH_HEADERS = {
+  USER_ID: "x-eldrin-user-id",
+  USER_EMAIL: "x-eldrin-user-email",
+  USER_NAME: "x-eldrin-user-name",
+  USER_ROLES: "x-eldrin-user-roles",
+  USER_PERMISSIONS: "x-eldrin-user-permissions"
+};
+function base64UrlDecode(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function verifyJWTSignature(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    return { valid: false, error: "Invalid JWT format" };
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  try {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(secret);
+    const key = await crypto.subtle.importKey(
+      "raw",
+      keyData,
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    const signedData = encoder.encode(`${headerB64}.${payloadB64}`);
+    const signature = base64UrlDecode(signatureB64);
+    const isValid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      signature.buffer,
+      signedData
+    );
+    if (!isValid) {
+      return { valid: false, error: "Invalid signature" };
+    }
+    const payloadJson = new TextDecoder().decode(base64UrlDecode(payloadB64));
+    const payload = JSON.parse(payloadJson);
+    const now = Date.now();
+    if (payload.exp && payload.exp < now) {
+      return { valid: false, error: "Token expired" };
+    }
+    return { valid: true, payload };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "JWT verification failed"
+    };
+  }
+}
+function extractAppPermissions(payload, appId, developerId) {
+  const permissions = [];
+  for (const [key, perms] of Object.entries(payload.appPermissions)) {
+    if (developerId) {
+      if (key === `${developerId}:${appId}`) {
+        permissions.push(...perms);
+      }
+    } else {
+      if (key.endsWith(`:${appId}`)) {
+        permissions.push(...perms);
+      }
+    }
+  }
+  return permissions;
+}
+function jwtPayloadToAuthContext(payload, appId, developerId) {
+  return {
+    userId: payload.sub,
+    email: payload.email,
+    name: `${payload.firstName} ${payload.lastName}`.trim(),
+    platformRoles: payload.platformRoles,
+    permissions: extractAppPermissions(payload, appId, developerId)
+  };
+}
+async function verifyJWT(request, options) {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader) {
+    return { success: false, error: "Missing Authorization header" };
+  }
+  if (!authHeader.startsWith("Bearer ")) {
+    return { success: false, error: "Invalid Authorization header format" };
+  }
+  const token = authHeader.slice(7);
+  const result = await verifyJWTSignature(token, options.secret);
+  if (!result.valid || !result.payload) {
+    return { success: false, error: result.error || "JWT verification failed" };
+  }
+  const auth = jwtPayloadToAuthContext(result.payload, options.appId, options.developerId);
+  return { success: true, auth };
+}
+async function getAuthContextFromJWT(request, options) {
+  const authHeader = request.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    const result = await verifyJWT(request, options);
+    if (result.success) {
+      return result.auth;
+    }
+    return null;
+  }
+  return getAuthContext(request);
+}
+async function requireJWTAuth(request, options) {
+  const auth = await getAuthContextFromJWT(request, options);
+  if (!auth) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return auth;
+}
+async function requireJWTPermission(request, options, resource, action) {
+  const auth = await requireJWTAuth(request, options);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  if (!hasPermission(auth, resource, action)) {
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing permission: ${resource}:${action}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+function getAuthContext(request) {
+  const userId = request.headers.get(AUTH_HEADERS.USER_ID);
+  if (!userId) {
+    return null;
+  }
+  const email = request.headers.get(AUTH_HEADERS.USER_EMAIL) || "";
+  const name = request.headers.get(AUTH_HEADERS.USER_NAME) || "";
+  const rolesHeader = request.headers.get(AUTH_HEADERS.USER_ROLES) || "";
+  const permissionsHeader = request.headers.get(AUTH_HEADERS.USER_PERMISSIONS) || "";
+  return {
+    userId,
+    email,
+    name,
+    platformRoles: rolesHeader ? rolesHeader.split(",").map((r) => r.trim()) : [],
+    permissions: permissionsHeader ? permissionsHeader.split(",").map((p) => p.trim()) : []
+  };
+}
+function requireAuth(request) {
+  const auth = getAuthContext(request);
+  if (!auth) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return auth;
+}
+function hasPermission(auth, resource, action) {
+  const required = `${resource}:${action}`;
+  if (auth.permissions.includes(required)) {
+    return true;
+  }
+  if (auth.permissions.includes(`${resource}:*`)) {
+    return true;
+  }
+  if (auth.permissions.includes("*:*")) {
+    return true;
+  }
+  return false;
+}
+function hasPlatformRole(auth, role) {
+  return auth.platformRoles.includes(role);
+}
+function isPlatformAdmin(auth) {
+  return auth.platformRoles.includes("admin");
+}
+function requirePermission(request, resource, action) {
+  const auth = requireAuth(request);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  if (!hasPermission(auth, resource, action)) {
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing permission: ${resource}:${action}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+function requireAnyPermission(request, permissions) {
+  const auth = requireAuth(request);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  const hasAny = permissions.some(
+    ([resource, action]) => hasPermission(auth, resource, action)
+  );
+  if (!hasAny) {
+    const permList = permissions.map(([r, a]) => `${r}:${a}`).join(", ");
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing one of permissions: ${permList}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+function requireAllPermissions(request, permissions) {
+  const auth = requireAuth(request);
+  if (auth instanceof Response) {
+    return auth;
+  }
+  if (isPlatformAdmin(auth)) {
+    return auth;
+  }
+  const missing = permissions.filter(
+    ([resource, action]) => !hasPermission(auth, resource, action)
+  );
+  if (missing.length > 0) {
+    const permList = missing.map(([r, a]) => `${r}:${a}`).join(", ");
+    return new Response(
+      JSON.stringify({
+        error: "Forbidden",
+        message: `Missing permissions: ${permList}`
+      }),
+      {
+        status: 403,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  return auth;
+}
+
+// src/middleware/matcher.ts
+function compileRoutes(routes, apiPrefix) {
+  return routes.map((route) => {
+    const methods = new Set(
+      Array.isArray(route.method) ? route.method.map((m) => m.toUpperCase()) : [route.method.toUpperCase()]
+    );
+    const fullPath = `${apiPrefix}${route.path}`;
+    const paramNames = [];
+    let regexPattern = fullPath.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/:([a-zA-Z_][a-zA-Z0-9_]*)/g, (_, name) => {
+      paramNames.push(name);
+      return "([^/]+)";
+    }).replace(/\*/g, "[^/]+");
+    const pattern = new RegExp(`^${regexPattern}$`);
+    let permission = null;
+    if (route.permission) {
+      const colonIndex = route.permission.indexOf(":");
+      if (colonIndex > 0) {
+        permission = {
+          resource: route.permission.substring(0, colonIndex),
+          action: route.permission.substring(colonIndex + 1)
+        };
+      }
+    }
+    return {
+      methods,
+      pattern,
+      paramNames,
+      permission,
+      originalPath: route.path
+    };
+  });
+}
+function matchRoute(method, pathname, compiledRoutes) {
+  const upperMethod = method.toUpperCase();
+  for (const route of compiledRoutes) {
+    if (!route.methods.has(upperMethod)) continue;
+    const match = pathname.match(route.pattern);
+    if (match) {
+      const params = {};
+      route.paramNames.forEach((name, index) => {
+        params[name] = match[index + 1];
+      });
+      return { route, params };
+    }
+  }
+  return null;
+}
+function isPublicRoute(pathname, publicRoutes, apiPrefix) {
+  for (const publicPath of publicRoutes) {
+    const fullPath = `${apiPrefix}${publicPath}`;
+    if (pathname === fullPath) return true;
+    if (publicPath.endsWith("/*")) {
+      const prefix = `${apiPrefix}${publicPath.slice(0, -2)}`;
+      if (pathname.startsWith(prefix + "/")) return true;
+    }
+  }
+  return false;
+}
+
+// src/middleware/index.ts
+function createPermissionMiddleware(config) {
+  const apiPrefix = config.apiPrefix ?? "/api";
+  const manifest = config.manifest;
+  const api = manifest.api;
+  const compiledRoutes = api?.routes ? compileRoutes(api.routes, apiPrefix) : [];
+  const defaultPolicy = api?.defaultPolicy ?? "deny";
+  const publicRoutes = api?.publicRoutes ?? [];
+  const emptyAuth = {
+    userId: "",
+    email: "",
+    name: "",
+    platformRoles: [],
+    permissions: []
+  };
+  function createCorsHeaders() {
+    if (!config.cors) return {};
+    return {
+      "Access-Control-Allow-Origin": config.cors.allowOrigin,
+      "Access-Control-Allow-Methods": config.cors.allowMethods,
+      "Access-Control-Allow-Headers": config.cors.allowHeaders
+    };
+  }
+  function withCors(response) {
+    if (!config.cors) return response;
+    const newHeaders = new Headers(response.headers);
+    Object.entries(createCorsHeaders()).forEach(([key, value]) => {
+      newHeaders.set(key, value);
+    });
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders
+    });
+  }
+  function errorResponse(error) {
+    if (config.onError) {
+      return withCors(config.onError(error));
+    }
+    switch (error.type) {
+      case "unauthorized":
+        return withCors(
+          Response.json(
+            { error: "Unauthorized", message: error.message },
+            { status: 401 }
+          )
+        );
+      case "forbidden":
+        return withCors(
+          Response.json(
+            {
+              error: "Forbidden",
+              message: error.message,
+              permission: error.permission
+            },
+            { status: 403 }
+          )
+        );
+      case "route_not_found":
+        return withCors(
+          Response.json(
+            { error: "Not Found", message: error.message },
+            { status: 404 }
+          )
+        );
+    }
+  }
+  async function verifyAndGetAuth(request, env) {
+    const jwtOptions = {
+      secret: config.getSecret(env),
+      appId: manifest.id,
+      developerId: manifest.developer_id
+    };
+    const result = await verifyJWT(request, jwtOptions);
+    if (!result.success) {
+      return errorResponse({
+        type: "unauthorized",
+        message: result.error
+      });
+    }
+    return result.auth;
+  }
+  return {
+    async handle(request, env) {
+      const url = new URL(request.url);
+      const method = request.method;
+      const pathname = url.pathname;
+      if (config.skipRoutes) {
+        for (const skipPattern of config.skipRoutes) {
+          if (pathname.startsWith(skipPattern)) {
+            return { auth: emptyAuth, url, params: {} };
+          }
+        }
+      }
+      if (method === "OPTIONS") {
+        return {
+          response: new Response(null, {
+            status: 204,
+            headers: createCorsHeaders()
+          })
+        };
+      }
+      if (!pathname.startsWith(apiPrefix)) {
+        return { auth: emptyAuth, url, params: {} };
+      }
+      if (isPublicRoute(pathname, publicRoutes, apiPrefix)) {
+        return { auth: emptyAuth, url, params: {} };
+      }
+      const match = matchRoute(method, pathname, compiledRoutes);
+      if (!match) {
+        if (defaultPolicy === "allow") {
+          return { auth: emptyAuth, url, params: {} };
+        }
+        const authResult2 = await verifyAndGetAuth(request, env);
+        if (authResult2 instanceof Response) {
+          return { response: authResult2 };
+        }
+        return { auth: authResult2, url, params: {} };
+      }
+      if (match.route.permission === null) {
+        return { auth: emptyAuth, url, params: match.params };
+      }
+      const authResult = await verifyAndGetAuth(request, env);
+      if (authResult instanceof Response) {
+        return { response: authResult };
+      }
+      const auth = authResult;
+      if (isPlatformAdmin(auth)) {
+        return { auth, url, params: match.params };
+      }
+      const { resource, action } = match.route.permission;
+      if (!hasPermission(auth, resource, action)) {
+        return {
+          response: errorResponse({
+            type: "forbidden",
+            message: `Missing permission: ${resource}:${action}`,
+            permission: `${resource}:${action}`
+          })
+        };
+      }
+      return { auth, url, params: match.params };
+    }
+  };
+}
+
+exports.AUTH_HEADERS = AUTH_HEADERS;
 exports.CHECKSUM_PREFIX = CHECKSUM_PREFIX;
 exports.DatabaseProvider = DatabaseProvider;
+exports.EldrinEventClient = EldrinEventClient;
 exports.calculateChecksum = calculateChecksum;
 exports.calculatePrefixedChecksum = calculatePrefixedChecksum;
+exports.compileRoutes = compileRoutes;
 exports.createApp = createApp;
+exports.createEventClient = createEventClient;
+exports.createPermissionMiddleware = createPermissionMiddleware;
 exports.extractTimestamp = extractTimestamp;
 exports.generateMigrationManifest = generateMigrationManifest;
+exports.getAuthContext = getAuthContext;
+exports.getAuthContextFromJWT = getAuthContextFromJWT;
 exports.getMigrationStatus = getMigrationStatus;
 exports.getRollbackFilename = getRollbackFilename;
+exports.hasPermission = hasPermission;
+exports.hasPlatformRole = hasPlatformRole;
+exports.isPlatformAdmin = isPlatformAdmin;
+exports.isPublicRoute = isPublicRoute;
 exports.isValidMigrationFilename = isValidMigrationFilename;
 exports.isValidRollbackFilename = isValidRollbackFilename;
+exports.matchRoute = matchRoute;
 exports.parseSQLStatements = parseSQLStatements;
+exports.requireAllPermissions = requireAllPermissions;
+exports.requireAnyPermission = requireAnyPermission;
+exports.requireAuth = requireAuth;
+exports.requireJWTAuth = requireJWTAuth;
+exports.requireJWTPermission = requireJWTPermission;
+exports.requirePermission = requirePermission;
 exports.rollbackMigrations = rollbackMigrations;
 exports.runMigrations = runMigrations;
 exports.useDatabase = useDatabase;
@@ -578,5 +1198,6 @@ exports.useDatabaseContext = useDatabaseContext;
 exports.useMigrationsComplete = useMigrationsComplete;
 exports.validateMigrationManifest = validateMigrationManifest;
 exports.verifyChecksum = verifyChecksum;
+exports.verifyJWT = verifyJWT;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map