@electr0zed/auth-gateway-cf 0.1.0

package/dist/auth/pkceState.d.ts

@@ -0,0 +1,40 @@
+import type { StateInfo } from '../types';
+/**
+ * Creates a new PKCE state.
+ *
+ * @export
+ * @async
+ * @returns {Promise<{ state: string; codeChallenge: string; verifier: string }>}
+ */
+export declare function makePkceState(): Promise<{
+    state: string;
+    codeChallenge: string;
+    verifier: string;
+}>;
+/**
+ * Saves a short-lived PKCE state to KV.
+ *
+ * @export
+ * @async
+ * @param {KVNamespace} kv
+ * @param {string} state
+ * @param {string} verifier
+ * @param {number} ttlSec
+ * @param {StateInfo} info
+ * @returns {Promise<void>}
+ */
+export declare function saveShortState(kv: KVNamespace, state: string, verifier: string, ttlSec: number, info: StateInfo): Promise<void>;
+/**
+ * Consumes a short-lived PKCE state from KV.
+ *
+ * @export
+ * @async
+ * @param {KVNamespace} kv
+ * @param {string} stateParam
+ * @returns {Promise<{ verifier: string; info: StateInfo }>}
+ */
+export declare function consumeShortState(kv: KVNamespace, stateParam: string): Promise<{
+    verifier: string;
+    info: StateInfo;
+}>;
+//# sourceMappingURL=pkceState.d.ts.map

package/dist/auth/pkceState.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkceState.d.ts","sourceRoot":"","sources":["../../src/auth/pkceState.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAyB,MAAM,UAAU,CAAC;AAEjE;;;;;;GAMG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CACjB,CAAC,CAQD;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAGrI;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CAAC,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,SAAS,CAAA;CAAE,CAAC,CAoB3H"}

package/dist/auth/pkceState.js

@@ -0,0 +1,75 @@
+/**
+ * Creates a new PKCE state.
+ *
+ * @export
+ * @async
+ * @returns {Promise<{ state: string; codeChallenge: string; verifier: string }>}
+ */
+export async function makePkceState() {
+    const verBytes = crypto.getRandomValues(new Uint8Array(32));
+    const verifier = Array.from(verBytes)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+    const state = crypto.randomUUID();
+    const codeChallenge = await sha256Base64Url(verifier);
+    return { state, codeChallenge, verifier };
+}
+/**
+ * Saves a short-lived PKCE state to KV.
+ *
+ * @export
+ * @async
+ * @param {KVNamespace} kv
+ * @param {string} state
+ * @param {string} verifier
+ * @param {number} ttlSec
+ * @param {StateInfo} info
+ * @returns {Promise<void>}
+ */
+export async function saveShortState(kv, state, verifier, ttlSec, info) {
+    const payload = { v: verifier, i: info };
+    await kv.put(`_pkce:${state}`, JSON.stringify(payload), { expirationTtl: ttlSec });
+}
+/**
+ * Consumes a short-lived PKCE state from KV.
+ *
+ * @export
+ * @async
+ * @param {KVNamespace} kv
+ * @param {string} stateParam
+ * @returns {Promise<{ verifier: string; info: StateInfo }>}
+ */
+export async function consumeShortState(kv, stateParam) {
+    const key = `_pkce:${stateParam}`;
+    const raw = await kv.get(key);
+    if (!raw)
+        throw new Error('state expired');
+    // Best-effort cleanup first to avoid reuse; errors ignored
+    await kv.delete(key).catch(() => { });
+    let parsed = null;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        throw new Error('bad_state');
+    }
+    const verifier = parsed?.v;
+    const info = parsed?.i ?? { mode: 'login' };
+    if (!verifier)
+        throw new Error('bad_state');
+    return { verifier, info };
+}
+/**
+ * Computes the SHA-256 hash of the input and encodes it in base64url.
+ *
+ * @async
+ * @param {string} input
+ * @returns {Promise<string>}
+ */
+async function sha256Base64Url(input) {
+    const data = new TextEncoder().encode(input);
+    const digest = await crypto.subtle.digest('SHA-256', data);
+    const b = String.fromCharCode(...new Uint8Array(digest));
+    return btoa(b).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+//# sourceMappingURL=pkceState.js.map

package/dist/auth/pkceState.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkceState.js","sourceRoot":"","sources":["../../src/auth/pkceState.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IAKlC,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5D,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAClC,MAAM,aAAa,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;IACtD,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,EAAe,EAAE,KAAa,EAAE,QAAgB,EAAE,MAAc,EAAE,IAAe;IACrH,MAAM,OAAO,GAAe,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IACrD,MAAM,EAAE,CAAC,GAAG,CAAC,SAAS,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;AACpF,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,EAAe,EAAE,UAAkB;IAC1E,MAAM,GAAG,GAAG,SAAS,UAAU,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IAE3C,2DAA2D;IAC3D,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAErC,IAAI,MAAM,GAAsB,IAAI,CAAC;IACrC,IAAI,CAAC;QACJ,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACR,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,OAAoB,EAAE,CAAC;IACzD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;IAE5C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,eAAe,CAAC,KAAa;IAC3C,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,MAAM,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IACzD,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC"}

package/dist/config.example.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config.example.d.ts.map

package/dist/config.example.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.example.d.ts","sourceRoot":"","sources":["../src/config.example.ts"],"names":[],"mappings":""}

package/dist/config.example.js

@@ -0,0 +1,83 @@
+import { defineConfig } from '.';
+defineConfig({
+    projectName: 'demo-project',
+    publicBaseUrl: 'http://domain.com',
+    oAuth: {
+        enabled: true,
+        defaultProvider: 'google',
+        providers: [
+            {
+                id: 'google',
+                enabled: true,
+                label: 'Google',
+                clientId: 'clientId',
+                clientSecretEnv: 'GOOGLE_CLIENT_SECRET',
+            },
+        ],
+        successRedirectUrl: '/',
+        failureRedirectUrl: '/error',
+    },
+    passwordAuth: {
+        enabled: true,
+        pepperEnv: 'PASSWORD_PEPPERS',
+        allowSignup: true,
+        turnstile: {
+            enabled: true,
+            secretEnv: 'TURNSTILE_SECRET',
+            tokenField: 'turnstileToken',
+        },
+    },
+    session: {
+        kind: 'durableObject',
+        cookieName: '__Host-sid',
+        doName: {},
+        jwtSecretEnv: 'SESSION_JWT_SECRET',
+        idleTtlSec: 14 * 24 * 60 * 60, // 14 days
+        absoluteTtlSec: 30 * 24 * 60 * 60, // 30 days
+        issuer: 'auth-gateway',
+        audience: 'internal-services',
+    },
+    userStore: {
+        kind: 'postgres',
+        hyperdrive: {},
+        shortStateKV: {},
+    },
+    propagation: {
+        headerName: 'X-User',
+        sigHeaderName: 'X-User-Sig',
+        hmacSecretEnv: 'AUTH_HMAC_KEY',
+    },
+    routes: [
+        {
+            match: {
+                path: /^\/admin(?:\/|$)/,
+            },
+            auth: 'required',
+            service: {},
+        },
+        {
+            match: {
+                path: /^.*/,
+            },
+            auth: 'none',
+            service: {},
+        },
+    ],
+    overrides: {
+        globalUnauthenticatedRedirectUrl: '/custom-login',
+        accountApproval: {
+            enabled: true,
+        },
+        emailVerification: {
+            enabled: true,
+            requiredForLogin: true,
+        },
+        autoLoginAfterSignup: true,
+        captureUsername: {
+            enabled: true,
+            required: false,
+            minLength: 5,
+        },
+    },
+});
+//# sourceMappingURL=config.example.js.map

package/dist/config.example.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.example.js","sourceRoot":"","sources":["../src/config.example.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,GAAG,CAAC;AAEjC,YAAY,CAAC;IACZ,WAAW,EAAE,cAAc;IAC3B,aAAa,EAAE,mBAAmB;IAClC,KAAK,EAAE;QACN,OAAO,EAAE,IAAI;QACb,eAAe,EAAE,QAAQ;QACzB,SAAS,EAAE;YACV;gBACC,EAAE,EAAE,QAAQ;gBACZ,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,UAAU;gBACpB,eAAe,EAAE,sBAAsB;aACvC;SACD;QACD,kBAAkB,EAAE,GAAG;QACvB,kBAAkB,EAAE,QAAQ;KAC5B;IACD,YAAY,EAAE;QACb,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,kBAAkB;QAC7B,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE;YACV,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,gBAAgB;SAC5B;KACD;IACD,OAAO,EAAE;QACR,IAAI,EAAE,eAAe;QACrB,UAAU,EAAE,YAAY;QACxB,MAAM,EAAE,EAAyD;QACjE,YAAY,EAAE,oBAAoB;QAClC,UAAU,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;QACzC,cAAc,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;QAC7C,MAAM,EAAE,cAAc;QACtB,QAAQ,EAAE,mBAAmB;KAC7B;IACD,SAAS,EAAE;QACV,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,EAAgB;QAC5B,YAAY,EAAE,EAAiB;KAC/B;IACD,WAAW,EAAE;QACZ,UAAU,EAAE,QAAQ;QACpB,aAAa,EAAE,YAAY;QAC3B,aAAa,EAAE,eAAe;KAC9B;IACD,MAAM,EAAE;QACP;YACC,KAAK,EAAE;gBACN,IAAI,EAAE,kBAAkB;aACxB;YACD,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAa;SACtB;QACD;YACC,KAAK,EAAE;gBACN,IAAI,EAAE,KAAK;aACX;YACD,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,EAAa;SACtB;KACD;IACD,SAAS,EAAE;QACV,gCAAgC,EAAE,eAAe;QACjD,eAAe,EAAE;YAChB,OAAO,EAAE,IAAI;SACb;QACD,iBAAiB,EAAE;YAClB,OAAO,EAAE,IAAI;YACb,gBAAgB,EAAE,IAAI;SACtB;QACD,oBAAoB,EAAE,IAAI;QAC1B,eAAe,EAAE;YAChB,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,CAAC;SACZ;KACD;CACD,CAAC,CAAC"}

package/dist/core/gateway.d.ts

@@ -0,0 +1,11 @@
+import type { ProjectConfig } from '../types';
+export declare class Gateway {
+    private env;
+    private cfg;
+    private auth;
+    private strat;
+    private matcher;
+    constructor(env: Env, cfg: ProjectConfig);
+    fetch(request: Request): Promise<Response>;
+}
+//# sourceMappingURL=gateway.d.ts.map

package/dist/core/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../src/core/gateway.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAmB,MAAM,UAAU,CAAC;AAU/D,qBAAa,OAAO;IAMlB,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,GAAG;IANZ,OAAO,CAAC,IAAI,CAAa;IACzB,OAAO,CAAC,KAAK,CAAkB;IAC/B,OAAO,CAAC,OAAO,CAAe;gBAGrB,GAAG,EAAE,GAAG,EACR,GAAG,EAAE,aAAa;IAQrB,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;CAuFhD"}

package/dist/core/gateway.js

@@ -0,0 +1,97 @@
+import { RouteMatcher } from '../routing/routeMatcher';
+import { makeSessionStrategy } from '../sessions';
+import { attachSignedUser, stripUser } from '../utils/propagation';
+import { AuthRouter } from '../auth';
+import { makeUserStore } from '../stores';
+import { hasAllRoles, hasAnyRole } from '../utils/roles';
+import { safeReturnTo } from '../utils/returnTo';
+import { STATIC_ASSET_RE } from '../utils/helpers';
+export class Gateway {
+    env;
+    cfg;
+    auth;
+    strat;
+    matcher;
+    constructor(env, cfg) {
+        this.env = env;
+        this.cfg = cfg;
+        const store = makeUserStore(cfg.userStore);
+        this.strat = makeSessionStrategy(cfg.session);
+        this.auth = new AuthRouter(cfg, env, store, this.strat);
+        this.matcher = new RouteMatcher(cfg.routes);
+    }
+    async fetch(request) {
+        const url = new URL(request.url);
+        // If the request is for auth, delegate to AuthRouter
+        if (/^\/auth(\/|$)/.test(url.pathname)) {
+            return this.auth.handle(request);
+        }
+        // Match route
+        const rule = this.matcher.match(url, request.method);
+        if (!rule) {
+            return new Response('Route not configured', { status: 501 });
+        }
+        // Check for existing session
+        const { session, accessJwt } = await this.strat.resolve(request, this.env);
+        // Common static asset extensions (tight allow-list)
+        const staticAssetRegex = this.cfg.overrides?.staticAssetRegex || STATIC_ASSET_RE;
+        const isStaticAsset = staticAssetRegex.test(url.pathname);
+        // Enforce auth if route requires it
+        if (rule.auth === 'required' && !(isStaticAsset && rule.bypassAuthForStaticAssets)) {
+            if (!this.auth.authFeatureEnabled()) {
+                return new Response('Authentication is disabled', { status: 501 });
+            }
+            if (!session) {
+                const returnTo = safeReturnTo(request.url, this.cfg.publicBaseUrl);
+                return this.auth.createUnauthenticatedRedirect(request.url, returnTo, rule.unauthenticatedRedirectUrl);
+            }
+            if (rule.requireRolesAll && !hasAllRoles(session.systemRoles, rule.requireRolesAll)) {
+                return new Response('Forbidden', { status: 403 });
+            }
+            if (rule.requireRolesAny && !hasAnyRole(session.systemRoles, rule.requireRolesAny)) {
+                return new Response('Forbidden', { status: 403 });
+            }
+        }
+        // Prepare forwarded request with appropriate headers
+        const headers = new Headers(request.headers);
+        if (session)
+            await attachSignedUser(headers, session, this.cfg, this.env);
+        else
+            stripUser(headers, this.cfg);
+        if (accessJwt)
+            headers.set('X-Access-Token', accessJwt);
+        // Get target service binding
+        const target = rule.service;
+        if (!target) {
+            return new Response(`Bad route: service binding not available`, { status: 502 });
+        }
+        const upstreamUrl = new URL(url.pathname + url.search, 'http://internal');
+        const method = request.method.toUpperCase();
+        const canHaveBody = method !== 'GET' && method !== 'HEAD';
+        // Clone headers
+        const fwdHeaders = new Headers(headers);
+        // Add standard forwarding headers
+        fwdHeaders.set('X-Forwarded-Host', url.host);
+        fwdHeaders.set('X-Forwarded-Proto', url.protocol.replace(':', ''));
+        fwdHeaders.set('X-Original-URL', url.pathname + url.search);
+        // Defensive: strip body-related headers for methods that cannot have a body
+        if (!canHaveBody) {
+            fwdHeaders.delete('content-length');
+            fwdHeaders.delete('transfer-encoding');
+            fwdHeaders.delete('content-type');
+        }
+        const init = {
+            method,
+            headers: fwdHeaders,
+            redirect: 'manual',
+        };
+        // Only attach body (and duplex) for methods that can have one
+        if (canHaveBody) {
+            init.body = request.body;
+            init.duplex = 'half';
+        }
+        const fwdReq = new Request(upstreamUrl, init);
+        return target.fetch(fwdReq);
+    }
+}
+//# sourceMappingURL=gateway.js.map

package/dist/core/gateway.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.js","sourceRoot":"","sources":["../../src/core/gateway.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACnE,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD,MAAM,OAAO,OAAO;IAMV;IACA;IAND,IAAI,CAAa;IACjB,KAAK,CAAkB;IACvB,OAAO,CAAe;IAE9B,YACS,GAAQ,EACR,GAAkB;QADlB,QAAG,GAAH,GAAG,CAAK;QACR,QAAG,GAAH,GAAG,CAAe;QAE1B,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAEjC,qDAAqD;QACrD,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;QAED,cAAc;QACd,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,IAAI,QAAQ,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,6BAA6B;QAC7B,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAE3E,oDAAoD;QACpD,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,gBAAgB,IAAI,eAAe,CAAC;QACjF,MAAM,aAAa,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE1D,oCAAoC;QACpC,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,CAAC,aAAa,IAAI,IAAI,CAAC,yBAAyB,CAAC,EAAE,CAAC;YACpF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;gBACrC,OAAO,IAAI,QAAQ,CAAC,4BAA4B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;gBACnE,OAAO,IAAI,CAAC,IAAI,CAAC,6BAA6B,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACxG,CAAC;YAED,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;gBACrF,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACnD,CAAC;YAED,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpF,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACnD,CAAC;QACF,CAAC;QAED,qDAAqD;QACrD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,OAAO;YAAE,MAAM,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;;YACrE,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,SAAS;YAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAExD,6BAA6B;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,OAAO,IAAI,QAAQ,CAAC,0CAA0C,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAClF,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;QAE1E,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,WAAW,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;QAE1D,gBAAgB;QAChB,MAAM,UAAU,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;QAExC,kCAAkC;QAClC,UAAU,CAAC,GAAG,CAAC,kBAAkB,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7C,UAAU,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;QACnE,UAAU,CAAC,GAAG,CAAC,gBAAgB,EAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QAE5D,4EAA4E;QAC5E,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,UAAU,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACpC,UAAU,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACvC,UAAU,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,IAAI,GAAsC;YAC/C,MAAM;YACN,OAAO,EAAE,UAAU;YACnB,QAAQ,EAAE,QAAQ;SAClB,CAAC;QAEF,8DAA8D;QAC9D,IAAI,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACtB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAC9C,OAAO,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;CACD"}

package/dist/do/sessionDo.d.ts

@@ -0,0 +1,11 @@
+import { DurableObject } from 'cloudflare:workers';
+export declare class SessionDO extends DurableObject {
+    private cache?;
+    constructor(ctx: DurableObjectState, env: Env);
+    fetch(req: Request): Promise<Response>;
+    alarm(): Promise<void>;
+    private isExpired;
+    private scheduleAlarm;
+    private deleteSession;
+}
+//# sourceMappingURL=sessionDo.d.ts.map

package/dist/do/sessionDo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionDo.d.ts","sourceRoot":"","sources":["../../src/do/sessionDo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAUnD,qBAAa,SAAU,SAAQ,aAAa;IAC3C,OAAO,CAAC,KAAK,CAAC,CAAW;gBAEb,GAAG,EAAE,kBAAkB,EAAE,GAAG,EAAE,GAAG;IAavC,KAAK,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAmEtC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAW5B,OAAO,CAAC,SAAS;YAKH,aAAa;YAQb,aAAa;CAK3B"}

package/dist/do/sessionDo.js

@@ -0,0 +1,96 @@
+import { DurableObject } from 'cloudflare:workers';
+import { json } from '../utils/http';
+export class SessionDO extends DurableObject {
+    cache;
+    constructor(ctx, env) {
+        super(ctx, env);
+        this.ctx.blockConcurrencyWhile(async () => {
+            const s = await this.ctx.storage.get('session');
+            if (s && this.isExpired(s)) {
+                await this.deleteSession();
+            }
+            else if (s) {
+                this.cache = s;
+                await this.scheduleAlarm(s);
+            }
+        });
+    }
+    async fetch(req) {
+        if (req.method !== 'POST')
+            return new Response('method not allowed', { status: 405 });
+        const ct = req.headers.get('content-type') || '';
+        if (!ct.includes('application/json')) {
+            return json({ error: 'bad content-type' }, { status: 400 });
+        }
+        const { op, session, idleTtlSec, absoluteTtlSec } = (await req.json().catch(() => ({})));
+        if (op === 'put') {
+            if (!session?.userId || !session?.email)
+                return json({ error: 'invalid session: missing userId/email' }, { status: 400 });
+            const now = Date.now();
+            const idleMs = (idleTtlSec ?? 14 * 24 * 60 * 60) * 1000;
+            const absMs = (absoluteTtlSec ?? 30 * 24 * 60 * 60) * 1000;
+            const stored = {
+                ...session,
+                createdAt: now,
+                updatedAt: now,
+                idleMs,
+                expiresAt: now + idleMs,
+                absoluteAt: now + absMs,
+            };
+            this.cache = stored;
+            await this.ctx.storage.put('session', stored);
+            await this.ctx.storage.setAlarm(new Date(Math.min(stored.expiresAt, stored.absoluteAt)));
+            return json({ ok: true });
+        }
+        if (op === 'get') {
+            if (!this.cache) {
+                this.cache = (await this.ctx.storage.get('session')) || undefined;
+            }
+            if (!this.cache)
+                return json({ session: null });
+            if (this.isExpired(this.cache)) {
+                await this.deleteSession();
+                return json({ session: null });
+            }
+            const now = Date.now();
+            this.cache.updatedAt = now;
+            this.cache.expiresAt = Math.min(now + this.cache.idleMs, this.cache.absoluteAt);
+            await this.ctx.storage.put('session', this.cache);
+            await this.ctx.storage.setAlarm(new Date(Math.min(this.cache.expiresAt, this.cache.absoluteAt)));
+            const { expiresAt: _ex, absoluteAt: _ab, idleMs: _id, ...publicSession } = this.cache;
+            return json({ session: publicSession });
+        }
+        if (op === 'delete') {
+            await this.deleteSession();
+            return json({ ok: true });
+        }
+        return new Response('bad op', { status: 400 });
+    }
+    async alarm() {
+        const s = (await this.ctx.storage.get('session')) || undefined;
+        if (!s)
+            return;
+        if (this.isExpired(s)) {
+            await this.deleteSession();
+            return;
+        }
+        await this.ctx.storage.setAlarm(new Date(Math.min(s.expiresAt, s.absoluteAt)));
+    }
+    isExpired(s) {
+        const now = Date.now();
+        return now >= s.expiresAt || now >= s.absoluteAt;
+    }
+    async scheduleAlarm(s) {
+        if (!s) {
+            await this.ctx.storage.deleteAlarm?.();
+            return;
+        }
+        await this.ctx.storage.setAlarm(new Date(Math.min(s.expiresAt, s.absoluteAt)));
+    }
+    async deleteSession() {
+        this.cache = undefined;
+        await this.ctx.storage.delete('session');
+        await this.ctx.storage.deleteAlarm?.();
+    }
+}
+//# sourceMappingURL=sessionDo.js.map

package/dist/do/sessionDo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionDo.js","sourceRoot":"","sources":["../../src/do/sessionDo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAQrC,MAAM,OAAO,SAAU,SAAQ,aAAa;IACnC,KAAK,CAAY;IAEzB,YAAY,GAAuB,EAAE,GAAQ;QAC5C,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAChB,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,KAAK,IAAI,EAAE;YACzC,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAW,SAAS,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC5B,CAAC;iBAAM,IAAI,CAAC,EAAE,CAAC;gBACd,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;gBACf,MAAM,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;QACF,CAAC,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAY;QACvB,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAEtF,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAKtF,CAAC;QAEF,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;YAClB,IAAI,CAAC,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,KAAK;gBAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAE1H,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,CAAC,UAAU,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;YACxD,MAAM,KAAK,GAAG,CAAC,cAAc,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;YAE3D,MAAM,MAAM,GAAa;gBACxB,GAAG,OAAO;gBACV,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;gBACd,MAAM;gBACN,SAAS,EAAE,GAAG,GAAG,MAAM;gBACvB,UAAU,EAAE,GAAG,GAAG,KAAK;aACvB,CAAC;YAEF,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;YACpB,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YAC9C,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACzF,OAAO,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3B,CAAC;QAED,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;YAClB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACjB,IAAI,CAAC,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAW,SAAS,CAAC,CAAC,IAAI,SAAS,CAAC;YAC7E,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAEhD,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAChC,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,GAAG,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAEhF,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAEjG,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,aAAa,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;YACtF,OAAO,IAAI,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,KAAK;QACV,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAW,SAAS,CAAC,CAAC,IAAI,SAAS,CAAC;QACzE,IAAI,CAAC,CAAC;YAAE,OAAO;QAEf,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC3B,OAAO;QACR,CAAC;QACD,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChF,CAAC;IAEO,SAAS,CAAC,CAAW;QAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,GAAG,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,CAAC,CAAC,UAAU,CAAC;IAClD,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,CAAY;QACvC,IAAI,CAAC,CAAC,EAAE,CAAC;YACR,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;YACvC,OAAO;QACR,CAAC;QACD,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChF,CAAC;IAEO,KAAK,CAAC,aAAa;QAC1B,IAAI,CAAC,KAAK,GAAG,SAAS,CAAC;QACvB,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;IACxC,CAAC;CACD"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+import type { ProjectConfig } from './types';
+export { SessionDO } from './do/sessionDo';
+export default function createGateway(cfg: ProjectConfig): ExportedHandler<Env>;
+export declare function defineConfig(config: ProjectConfig): ProjectConfig;
+export type * from './types';
+export * from './utils/verifyInternal';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAI3C,MAAM,CAAC,OAAO,UAAU,aAAa,CAAC,GAAG,EAAE,aAAa,GAAG,eAAe,CAAC,GAAG,CAAC,CAO9E;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,aAAa,GAAG,aAAa,CAEjE;AAED,mBAAmB,SAAS,CAAC;AAC7B,cAAc,wBAAwB,CAAC"}

package/dist/index.js

@@ -0,0 +1,16 @@
+import { Gateway } from './core/gateway';
+export { SessionDO } from './do/sessionDo';
+let gateway;
+export default function createGateway(cfg) {
+    return {
+        async fetch(request, env, _ctx) {
+            gateway ??= new Gateway(env, cfg);
+            return gateway.fetch(request);
+        },
+    };
+}
+export function defineConfig(config) {
+    return config;
+}
+export * from './utils/verifyInternal';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAGzC,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,IAAI,OAA4B,CAAC;AAEjC,MAAM,CAAC,OAAO,UAAU,aAAa,CAAC,GAAkB;IACvD,OAAO;QACN,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI;YAC7B,OAAO,KAAK,IAAI,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAClC,OAAO,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;KACD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAqB;IACjD,OAAO,MAAM,CAAC;AACf,CAAC;AAGD,cAAc,wBAAwB,CAAC"}

package/dist/providers/baseProvider.d.ts

@@ -0,0 +1,22 @@
+import type { ProviderConfig, LoginProviderId, ProviderIdentity, ProviderStatic, NormalizedClaims } from '../types';
+export declare abstract class AuthProvider {
+    readonly id: LoginProviderId;
+    private readonly authorizeEndpoint;
+    private readonly tokenEndpoint;
+    private readonly defaultIssuer;
+    private readonly defaultScope?;
+    private readonly userInfoEndpoint?;
+    private readonly claimsMode;
+    constructor(staticCfg: ProviderStatic);
+    protected abstract normalize(claims: unknown): NormalizedClaims;
+    protected getDefaultScope(cfg: ProviderConfig): string;
+    protected getRedirectUri(baseUrl: string): string;
+    protected getClientSecret(env: Env, cfg: ProviderConfig): string | undefined;
+    loginURL(cfg: ProviderConfig, baseUrl: string, state: string, codeChallenge: string): string;
+    exchangeCode(cfg: ProviderConfig, env: Env, code: string, codeVerifier: string, redirectUri: string): Promise<ProviderIdentity>;
+    protected fetchUserInfo(userInfoEndpoint: string, accessToken: string): Promise<{
+        claims: unknown;
+    }>;
+    protected parseJwt(token: string): unknown;
+}
+//# sourceMappingURL=baseProvider.d.ts.map

package/dist/providers/baseProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseProvider.d.ts","sourceRoot":"","sources":["../../src/providers/baseProvider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,cAAc,EACd,eAAe,EACf,gBAAgB,EAEhB,cAAc,EACd,gBAAgB,EAEhB,MAAM,UAAU,CAAC;AAElB,8BAAsB,YAAY;IACjC,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC;IAC7B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAC3C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAS;IAC3C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;gBAE5B,SAAS,EAAE,cAAc;IAUrC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,GAAG,gBAAgB;IAE/D,SAAS,CAAC,eAAe,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM;IAItD,SAAS,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAIjD,SAAS,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,cAAc,GAAG,MAAM,GAAG,SAAS;IAK5E,QAAQ,CAAC,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM;IAiBtF,YAAY,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;cAuErH,aAAa,CAAC,gBAAgB,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,OAAO,CAAA;KAAE,CAAC;IAO1G,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAW1C"}

package/dist/providers/baseProvider.js

@@ -0,0 +1,129 @@
+export class AuthProvider {
+    id;
+    authorizeEndpoint;
+    tokenEndpoint;
+    defaultIssuer;
+    defaultScope;
+    userInfoEndpoint;
+    claimsMode;
+    constructor(staticCfg) {
+        this.id = staticCfg.id;
+        this.authorizeEndpoint = staticCfg.authorizeEndpoint;
+        this.tokenEndpoint = staticCfg.tokenEndpoint;
+        this.defaultIssuer = staticCfg.defaultIssuer;
+        this.defaultScope = staticCfg.defaultScope;
+        this.userInfoEndpoint = staticCfg.userInfoEndpoint;
+        this.claimsMode = staticCfg.claimsMode;
+    }
+    getDefaultScope(cfg) {
+        return cfg.scope ?? this.defaultScope ?? 'openid email profile';
+    }
+    getRedirectUri(baseUrl) {
+        return `${baseUrl}/auth/callback`;
+    }
+    getClientSecret(env, cfg) {
+        const key = cfg.clientSecretEnv;
+        return key ? env[key] : undefined;
+    }
+    loginURL(cfg, baseUrl, state, codeChallenge) {
+        const scope = this.getDefaultScope(cfg);
+        const redirectUri = this.getRedirectUri(baseUrl);
+        const qp = new URLSearchParams({
+            client_id: cfg.clientId,
+            response_type: 'code',
+            redirect_uri: redirectUri,
+            scope,
+            code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+            state,
+        });
+        return `${this.authorizeEndpoint}?${qp.toString()}`;
+    }
+    async exchangeCode(cfg, env, code, codeVerifier, redirectUri) {
+        const scope = this.getDefaultScope(cfg);
+        const clientSecret = this.getClientSecret(env, cfg);
+        const body = new URLSearchParams({
+            client_id: cfg.clientId,
+            code,
+            code_verifier: codeVerifier,
+            grant_type: 'authorization_code',
+            redirect_uri: redirectUri,
+            scope,
+        });
+        if (clientSecret)
+            body.set('client_secret', clientSecret);
+        const res = await fetch(this.tokenEndpoint, {
+            method: 'POST',
+            headers: { 'content-type': 'application/x-www-form-urlencoded' },
+            body,
+        });
+        if (!res.ok) {
+            const text = await res.text().catch(() => '');
+            throw new Error(`token exchange failed: ${res.status} ${text}`);
+        }
+        const json = (await res.json());
+        let claims = {};
+        if (this.claimsMode === 'id_token') {
+            if (typeof json.id_token !== 'string')
+                throw new Error('id_token_missing');
+            const decoded = this.parseJwt(json.id_token);
+            claims = decoded;
+            const issuer = (cfg.issuer ?? this.defaultIssuer) || '';
+            // iss
+            if (typeof decoded.iss === 'string' && decoded.iss !== issuer) {
+                throw new Error('bad_issuer');
+            }
+            // aud (string or string[])
+            const aud = decoded.aud;
+            const okAud = (typeof aud === 'string' && aud === cfg.clientId) || (Array.isArray(aud) && aud.includes(cfg.clientId));
+            if (!okAud)
+                throw new Error('bad_audience');
+            // exp
+            const exp = decoded.exp;
+            const now = Math.floor(Date.now() / 1000);
+            if (typeof exp === 'number' && now >= exp)
+                throw new Error('id_token_expired');
+        }
+        else if (this.claimsMode === 'userinfo') {
+            if (!this.userInfoEndpoint || typeof json.access_token !== 'string') {
+                throw new Error('userinfo_unavailable');
+            }
+            const info = await this.fetchUserInfo(this.userInfoEndpoint, json.access_token);
+            claims = info.claims;
+        }
+        else {
+            throw new Error('claims_unavailable');
+        }
+        const norm = this.normalize(claims);
+        if (!norm.email)
+            throw new Error('email_required');
+        if (!norm.subject)
+            throw new Error('missing_subject');
+        const issuer = (cfg.issuer ?? this.defaultIssuer) || '';
+        return {
+            email: norm.email,
+            provider: this.id,
+            issuer,
+            subject: norm.subject,
+        };
+    }
+    async fetchUserInfo(userInfoEndpoint, accessToken) {
+        const r = await fetch(userInfoEndpoint, { headers: { authorization: `Bearer ${accessToken}` } });
+        if (!r.ok)
+            throw new Error(`userinfo failed: ${r.status}`);
+        const claims = (await r.json());
+        return { claims };
+    }
+    parseJwt(token) {
+        const [, p] = token.split('.');
+        if (!p)
+            return {};
+        // base64url -> base64 with padding
+        let b64 = p.replace(/-/g, '+').replace(/_/g, '/');
+        const pad = b64.length % 4;
+        if (pad)
+            b64 += '='.repeat(4 - pad);
+        return JSON.parse(atob(b64));
+    }
+}
+//# sourceMappingURL=baseProvider.js.map