@emmanuel-nike/ark-notify-js 0.1.0 → 0.1.2

package/dist/server/index.cjs

@@ -0,0 +1,128 @@
+'use strict';
+
+var crypto = require('crypto');
+
+// src/server-auth.ts
+var CLIENT_ID_PATTERN = /^[a-zA-Z0-9_\-.]{1,128}$/;
+var DEFAULT_TTL_SECONDS = 3600;
+var MAX_TTL_SECONDS = 86400;
+var DEFAULT_CAPABILITIES = {
+  subscribe: true,
+  publish: true,
+  presence: true
+};
+function isValidClientId(clientId) {
+  return typeof clientId === "string" && CLIENT_ID_PATTERN.test(clientId);
+}
+function normalizeCapabilities(capabilities) {
+  if (!capabilities || typeof capabilities !== "object") {
+    return { ...DEFAULT_CAPABILITIES };
+  }
+  return {
+    subscribe: capabilities.subscribe !== false,
+    publish: capabilities.publish !== false,
+    presence: capabilities.presence !== false
+  };
+}
+function resolveTokenTtl(ttl) {
+  if (ttl === void 0 || ttl === null) {
+    return DEFAULT_TTL_SECONDS;
+  }
+  if (!Number.isInteger(ttl) || ttl <= 0) {
+    throw new Error("ttl must be a positive integer (seconds)");
+  }
+  return Math.min(ttl, MAX_TTL_SECONDS);
+}
+function encodePayload(payload) {
+  return Buffer.from(JSON.stringify(payload)).toString("base64url");
+}
+function computeConnectionTokenSignature(secret, appKey, payloadEncoded) {
+  return crypto.createHmac("sha256", secret).update(`${appKey}.${payloadEncoded}`).digest("hex");
+}
+function buildConnectionToken(appKey, secret, options) {
+  if (!isValidClientId(options.clientId)) {
+    throw new Error("clientId must be 1-128 alphanumeric characters");
+  }
+  const payloadEncoded = encodePayload({
+    client_id: options.clientId,
+    exp: options.exp,
+    capabilities: normalizeCapabilities(options.capabilities)
+  });
+  const signature = computeConnectionTokenSignature(secret, appKey, payloadEncoded);
+  return `${appKey}.${payloadEncoded}.${signature}`;
+}
+function parseServerAuthRequest(body) {
+  if (!body || typeof body !== "object") {
+    return null;
+  }
+  const record = body;
+  const client_id = record.client_id ?? record.clientId;
+  if (!isValidClientId(client_id)) {
+    return null;
+  }
+  const user_data = record.user_data ?? record.userData;
+  const capabilities = record.capabilities;
+  const ttl = record.ttl;
+  return {
+    client_id,
+    user_data: user_data === void 0 ? null : user_data && typeof user_data === "object" ? user_data : null,
+    capabilities: capabilities && typeof capabilities === "object" ? capabilities : null,
+    ttl: typeof ttl === "number" ? ttl : null
+  };
+}
+function createAuthorizedServerAuthResponse(options) {
+  if (!isValidClientId(options.clientId)) {
+    throw new Error("clientId must be 1-128 alphanumeric characters");
+  }
+  const capabilities = normalizeCapabilities(options.capabilities);
+  const ttl = resolveTokenTtl(options.ttl);
+  if (options.credentials) {
+    const exp = Math.floor(Date.now() / 1e3) + ttl;
+    return {
+      token: buildConnectionToken(options.credentials.appKey, options.credentials.secret, {
+        clientId: options.clientId,
+        exp,
+        capabilities
+      })
+    };
+  }
+  return {
+    allowed: true,
+    client_id: options.clientId,
+    capabilities,
+    ttl
+  };
+}
+function createDeniedServerAuthResponse(reason) {
+  return reason ? { allowed: false, reason } : { allowed: false };
+}
+async function handleServerAuth(options) {
+  const decision = await options.isAuthorized(options.request);
+  if (decision === false) {
+    return createDeniedServerAuthResponse();
+  }
+  const clientId = decision.clientId ?? options.request.client_id;
+  if (!isValidClientId(clientId)) {
+    return createDeniedServerAuthResponse("invalid_client_id");
+  }
+  try {
+    return createAuthorizedServerAuthResponse({
+      clientId,
+      capabilities: decision.capabilities ?? options.request.capabilities ?? void 0,
+      ttl: decision.ttl ?? options.request.ttl ?? void 0,
+      credentials: options.credentials
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "invalid_request";
+    return createDeniedServerAuthResponse(message);
+  }
+}
+
+exports.buildConnectionToken = buildConnectionToken;
+exports.createAuthorizedServerAuthResponse = createAuthorizedServerAuthResponse;
+exports.createDeniedServerAuthResponse = createDeniedServerAuthResponse;
+exports.handleServerAuth = handleServerAuth;
+exports.isValidClientId = isValidClientId;
+exports.parseServerAuthRequest = parseServerAuthRequest;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/server/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/server-auth.ts"],"names":["createHmac"],"mappings":";;;;;AAYA,IAAM,iBAAA,GAAoB,0BAAA;AAC1B,IAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAM,eAAA,GAAkB,KAAA;AAExB,IAAM,oBAAA,GAA+C;AAAA,EACnD,SAAA,EAAW,IAAA;AAAA,EACX,OAAA,EAAS,IAAA;AAAA,EACT,QAAA,EAAU;AACZ,CAAA;AAEO,SAAS,gBAAgB,QAAA,EAAuC;AACrE,EAAA,OAAO,OAAO,QAAA,KAAa,QAAA,IAAY,iBAAA,CAAkB,KAAK,QAAQ,CAAA;AACxE;AAEA,SAAS,sBACP,YAAA,EACwB;AACxB,EAAA,IAAI,CAAC,YAAA,IAAgB,OAAO,YAAA,KAAiB,QAAA,EAAU;AACrD,IAAA,OAAO,EAAE,GAAG,oBAAA,EAAqB;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,aAAa,SAAA,KAAc,KAAA;AAAA,IACtC,OAAA,EAAS,aAAa,OAAA,KAAY,KAAA;AAAA,IAClC,QAAA,EAAU,aAAa,QAAA,KAAa;AAAA,GACtC;AACF;AAEA,SAAS,gBAAgB,GAAA,EAA6B;AACpD,EAAA,IAAI,GAAA,KAAQ,MAAA,IAAa,GAAA,KAAQ,IAAA,EAAM;AACrC,IAAA,OAAO,mBAAA;AAAA,EACT;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,SAAA,CAAU,GAAG,CAAA,IAAK,OAAO,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,EAC5D;AAEA,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,eAAe,CAAA;AACtC;AAEA,SAAS,cAAc,OAAA,EAA0C;AAC/D,EAAA,OAAO,MAAA,CAAO,KAAK,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA,CAAE,SAAS,WAAW,CAAA;AAClE;AAEA,SAAS,+BAAA,CACP,MAAA,EACA,MAAA,EACA,cAAA,EACQ;AACR,EAAA,OAAOA,iBAAA,CAAW,QAAA,EAAU,MAAM,CAAA,CAAE,MAAA,CAAO,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,cAAc,CAAA,CAAE,CAAA,CAAE,MAAA,CAAO,KAAK,CAAA;AACxF;AAGO,SAAS,oBAAA,CACd,MAAA,EACA,MAAA,EACA,OAAA,EAKQ;AACR,EAAA,IAAI,CAAC,eAAA,CAAgB,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EAClE;AAEA,EAAA,MAAM,iBAAiB,aAAA,CAAc;AAAA,IACnC,WAAW,OAAA,CAAQ,QAAA;AAAA,IACnB,KAAK,OAAA,CAAQ,GAAA;AAAA,IACb,YAAA,EAAc,qBAAA,CAAsB,OAAA,CAAQ,YAAY;AAAA,GACzD,CAAA;AAED,EAAA,MAAM,SAAA,GAAY,+BAAA,CAAgC,MAAA,EAAQ,MAAA,EAAQ,cAAc,CAAA;AAChF,EAAA,OAAO,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,cAAc,IAAI,SAAS,CAAA,CAAA;AACjD;AAMO,SAAS,uBAAuB,IAAA,EAAyC;AAC9E,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACrC,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,MAAA,GAAS,IAAA;AACf,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,MAAA,CAAO,QAAA;AAE7C,EAAA,IAAI,CAAC,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,MAAA,CAAO,QAAA;AAC7C,EAAA,MAAM,eAAe,MAAA,CAAO,YAAA;AAC5B,EAAA,MAAM,MAAM,MAAA,CAAO,GAAA;AAEnB,EAAA,OAAO;AAAA,IACL,SAAA;AAAA,IACA,SAAA,EACE,cAAc,MAAA,GACV,IAAA,GACA,aAAa,OAAO,SAAA,KAAc,WAC/B,SAAA,GACD,IAAA;AAAA,IACR,YAAA,EACE,YAAA,IAAgB,OAAO,YAAA,KAAiB,WACnC,YAAA,GACD,IAAA;AAAA,IACN,GAAA,EAAK,OAAO,GAAA,KAAQ,QAAA,GAAW,GAAA,GAAM;AAAA,GACvC;AACF;AAQO,SAAS,mCACd,OAAA,EAC4B;AAC5B,EAAA,IAAI,CAAC,eAAA,CAAgB,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EAClE;AAEA,EAAA,MAAM,YAAA,GAAe,qBAAA,CAAsB,OAAA,CAAQ,YAAY,CAAA;AAC/D,EAAA,MAAM,GAAA,GAAM,eAAA,CAAgB,OAAA,CAAQ,GAAG,CAAA;AAEvC,EAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAA;AAC5C,IAAA,OAAO;AAAA,MACL,OAAO,oBAAA,CAAqB,OAAA,CAAQ,YAAY,MAAA,EAAQ,OAAA,CAAQ,YAAY,MAAA,EAAQ;AAAA,QAClF,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,GAAA;AAAA,QACA;AAAA,OACD;AAAA,KACH;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,IAAA;AAAA,IACT,WAAW,OAAA,CAAQ,QAAA;AAAA,IACnB,YAAA;AAAA,IACA;AAAA,GACF;AACF;AAGO,SAAS,+BAA+B,MAAA,EAA2C;AACxF,EAAA,OAAO,MAAA,GAAS,EAAE,OAAA,EAAS,KAAA,EAAO,QAAO,GAAI,EAAE,SAAS,KAAA,EAAM;AAChE;AAMA,eAAsB,iBACpB,OAAA,EAC6B;AAC7B,EAAA,MAAM,QAAA,GAA+B,MAAM,OAAA,CAAQ,YAAA,CAAa,QAAQ,OAAO,CAAA;AAE/E,EAAA,IAAI,aAAa,KAAA,EAAO;AACtB,IAAA,OAAO,8BAAA,EAA+B;AAAA,EACxC;AAEA,EAAA,MAAM,QAAA,GAAW,QAAA,CAAS,QAAA,IAAY,OAAA,CAAQ,OAAA,CAAQ,SAAA;AACtD,EAAA,IAAI,CAAC,eAAA,CAAgB,QAAQ,CAAA,EAAG;AAC9B,IAAA,OAAO,+BAA+B,mBAAmB,CAAA;AAAA,EAC3D;AAEA,EAAA,IAAI;AACF,IAAA,OAAO,kCAAA,CAAmC;AAAA,MACxC,QAAA;AAAA,MACA,YAAA,EAAc,QAAA,CAAS,YAAA,IAAgB,OAAA,CAAQ,QAAQ,YAAA,IAAgB,KAAA,CAAA;AAAA,MACvE,GAAA,EAAK,QAAA,CAAS,GAAA,IAAO,OAAA,CAAQ,QAAQ,GAAA,IAAO,KAAA,CAAA;AAAA,MAC5C,aAAa,OAAA,CAAQ;AAAA,KACtB,CAAA;AAAA,EACH,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,OAAA,GAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,iBAAA;AACrD,IAAA,OAAO,+BAA+B,OAAO,CAAA;AAAA,EAC/C;AACF","file":"index.cjs","sourcesContent":["import { createHmac } from 'node:crypto'\nimport type {\n  ConnectionCapabilities,\n  CreateAuthorizedServerAuthResponseOptions,\n  HandleServerAuthOptions,\n  ServerAuthApprovedResponse,\n  ServerAuthDeniedResponse,\n  ServerAuthRequest,\n  ServerAuthResponse,\n  ServerAuthDecision,\n} from './types'\n\nconst CLIENT_ID_PATTERN = /^[a-zA-Z0-9_\\-.]{1,128}$/\nconst DEFAULT_TTL_SECONDS = 3600\nconst MAX_TTL_SECONDS = 86400\n\nconst DEFAULT_CAPABILITIES: ConnectionCapabilities = {\n  subscribe: true,\n  publish: true,\n  presence: true,\n}\n\nexport function isValidClientId(clientId: unknown): clientId is string {\n  return typeof clientId === 'string' && CLIENT_ID_PATTERN.test(clientId)\n}\n\nfunction normalizeCapabilities(\n  capabilities?: Partial<ConnectionCapabilities> | null\n): ConnectionCapabilities {\n  if (!capabilities || typeof capabilities !== 'object') {\n    return { ...DEFAULT_CAPABILITIES }\n  }\n\n  return {\n    subscribe: capabilities.subscribe !== false,\n    publish: capabilities.publish !== false,\n    presence: capabilities.presence !== false,\n  }\n}\n\nfunction resolveTokenTtl(ttl?: number | null): number {\n  if (ttl === undefined || ttl === null) {\n    return DEFAULT_TTL_SECONDS\n  }\n\n  if (!Number.isInteger(ttl) || ttl <= 0) {\n    throw new Error('ttl must be a positive integer (seconds)')\n  }\n\n  return Math.min(ttl, MAX_TTL_SECONDS)\n}\n\nfunction encodePayload(payload: Record<string, unknown>): string {\n  return Buffer.from(JSON.stringify(payload)).toString('base64url')\n}\n\nfunction computeConnectionTokenSignature(\n  secret: string,\n  appKey: string,\n  payloadEncoded: string\n): string {\n  return createHmac('sha256', secret).update(`${appKey}.${payloadEncoded}`).digest('hex')\n}\n\n/** Build a signed connection token in Ark Notify format. */\nexport function buildConnectionToken(\n  appKey: string,\n  secret: string,\n  options: {\n    clientId: string\n    exp: number\n    capabilities?: Partial<ConnectionCapabilities>\n  }\n): string {\n  if (!isValidClientId(options.clientId)) {\n    throw new Error('clientId must be 1-128 alphanumeric characters')\n  }\n\n  const payloadEncoded = encodePayload({\n    client_id: options.clientId,\n    exp: options.exp,\n    capabilities: normalizeCapabilities(options.capabilities),\n  })\n\n  const signature = computeConnectionTokenSignature(secret, appKey, payloadEncoded)\n  return `${appKey}.${payloadEncoded}.${signature}`\n}\n\n/**\n * Parse the JSON body Ark Notify sends to your `serverAuthUrl`.\n * Returns null when the payload is invalid.\n */\nexport function parseServerAuthRequest(body: unknown): ServerAuthRequest | null {\n  if (!body || typeof body !== 'object') {\n    return null\n  }\n\n  const record = body as Record<string, unknown>\n  const client_id = record.client_id ?? record.clientId\n\n  if (!isValidClientId(client_id)) {\n    return null\n  }\n\n  const user_data = record.user_data ?? record.userData\n  const capabilities = record.capabilities\n  const ttl = record.ttl\n\n  return {\n    client_id,\n    user_data:\n      user_data === undefined\n        ? null\n        : user_data && typeof user_data === 'object'\n          ? (user_data as Record<string, unknown>)\n          : null,\n    capabilities:\n      capabilities && typeof capabilities === 'object'\n        ? (capabilities as Partial<ConnectionCapabilities>)\n        : null,\n    ttl: typeof ttl === 'number' ? ttl : null,\n  }\n}\n\n/**\n * Build an approved response for your `serverAuthUrl` webhook.\n *\n * - Without `credentials`: returns `{ allowed: true, client_id, ... }` (option A).\n * - With `credentials`: returns `{ token }` with a pre-signed token (option B).\n */\nexport function createAuthorizedServerAuthResponse(\n  options: CreateAuthorizedServerAuthResponseOptions\n): ServerAuthApprovedResponse {\n  if (!isValidClientId(options.clientId)) {\n    throw new Error('clientId must be 1-128 alphanumeric characters')\n  }\n\n  const capabilities = normalizeCapabilities(options.capabilities)\n  const ttl = resolveTokenTtl(options.ttl)\n\n  if (options.credentials) {\n    const exp = Math.floor(Date.now() / 1000) + ttl\n    return {\n      token: buildConnectionToken(options.credentials.appKey, options.credentials.secret, {\n        clientId: options.clientId,\n        exp,\n        capabilities,\n      }),\n    }\n  }\n\n  return {\n    allowed: true,\n    client_id: options.clientId,\n    capabilities,\n    ttl,\n  }\n}\n\n/** Build a denied response for your `serverAuthUrl` webhook. */\nexport function createDeniedServerAuthResponse(reason?: string): ServerAuthDeniedResponse {\n  return reason ? { allowed: false, reason } : { allowed: false }\n}\n\n/**\n * Authenticate an incoming `serverAuthUrl` request and return the webhook response\n * body Ark Notify expects.\n */\nexport async function handleServerAuth(\n  options: HandleServerAuthOptions\n): Promise<ServerAuthResponse> {\n  const decision: ServerAuthDecision = await options.isAuthorized(options.request)\n\n  if (decision === false) {\n    return createDeniedServerAuthResponse()\n  }\n\n  const clientId = decision.clientId ?? options.request.client_id\n  if (!isValidClientId(clientId)) {\n    return createDeniedServerAuthResponse('invalid_client_id')\n  }\n\n  try {\n    return createAuthorizedServerAuthResponse({\n      clientId,\n      capabilities: decision.capabilities ?? options.request.capabilities ?? undefined,\n      ttl: decision.ttl ?? options.request.ttl ?? undefined,\n      credentials: options.credentials,\n    })\n  } catch (err) {\n    const message = err instanceof Error ? err.message : 'invalid_request'\n    return createDeniedServerAuthResponse(message)\n  }\n}\n"]}

package/dist/server/index.d.cts

@@ -0,0 +1,31 @@
+import { m as ConnectionCapabilities, p as CreateAuthorizedServerAuthResponseOptions, D as ServerAuthApprovedResponse, G as ServerAuthDeniedResponse, H as HandleServerAuthOptions, J as ServerAuthResponse, I as ServerAuthRequest } from '../types-tQECeZab.cjs';
+export { S as ServerAuthAllowedResponse, F as ServerAuthDecision, K as ServerAuthTokenResponse } from '../types-tQECeZab.cjs';
+
+declare function isValidClientId(clientId: unknown): clientId is string;
+/** Build a signed connection token in Ark Notify format. */
+declare function buildConnectionToken(appKey: string, secret: string, options: {
+    clientId: string;
+    exp: number;
+    capabilities?: Partial<ConnectionCapabilities>;
+}): string;
+/**
+ * Parse the JSON body Ark Notify sends to your `serverAuthUrl`.
+ * Returns null when the payload is invalid.
+ */
+declare function parseServerAuthRequest(body: unknown): ServerAuthRequest | null;
+/**
+ * Build an approved response for your `serverAuthUrl` webhook.
+ *
+ * - Without `credentials`: returns `{ allowed: true, client_id, ... }` (option A).
+ * - With `credentials`: returns `{ token }` with a pre-signed token (option B).
+ */
+declare function createAuthorizedServerAuthResponse(options: CreateAuthorizedServerAuthResponseOptions): ServerAuthApprovedResponse;
+/** Build a denied response for your `serverAuthUrl` webhook. */
+declare function createDeniedServerAuthResponse(reason?: string): ServerAuthDeniedResponse;
+/**
+ * Authenticate an incoming `serverAuthUrl` request and return the webhook response
+ * body Ark Notify expects.
+ */
+declare function handleServerAuth(options: HandleServerAuthOptions): Promise<ServerAuthResponse>;
+
+export { CreateAuthorizedServerAuthResponseOptions, HandleServerAuthOptions, ServerAuthApprovedResponse, ServerAuthDeniedResponse, ServerAuthRequest, ServerAuthResponse, buildConnectionToken, createAuthorizedServerAuthResponse, createDeniedServerAuthResponse, handleServerAuth, isValidClientId, parseServerAuthRequest };

package/dist/server/index.d.ts

@@ -0,0 +1,31 @@
+import { m as ConnectionCapabilities, p as CreateAuthorizedServerAuthResponseOptions, D as ServerAuthApprovedResponse, G as ServerAuthDeniedResponse, H as HandleServerAuthOptions, J as ServerAuthResponse, I as ServerAuthRequest } from '../types-tQECeZab.js';
+export { S as ServerAuthAllowedResponse, F as ServerAuthDecision, K as ServerAuthTokenResponse } from '../types-tQECeZab.js';
+
+declare function isValidClientId(clientId: unknown): clientId is string;
+/** Build a signed connection token in Ark Notify format. */
+declare function buildConnectionToken(appKey: string, secret: string, options: {
+    clientId: string;
+    exp: number;
+    capabilities?: Partial<ConnectionCapabilities>;
+}): string;
+/**
+ * Parse the JSON body Ark Notify sends to your `serverAuthUrl`.
+ * Returns null when the payload is invalid.
+ */
+declare function parseServerAuthRequest(body: unknown): ServerAuthRequest | null;
+/**
+ * Build an approved response for your `serverAuthUrl` webhook.
+ *
+ * - Without `credentials`: returns `{ allowed: true, client_id, ... }` (option A).
+ * - With `credentials`: returns `{ token }` with a pre-signed token (option B).
+ */
+declare function createAuthorizedServerAuthResponse(options: CreateAuthorizedServerAuthResponseOptions): ServerAuthApprovedResponse;
+/** Build a denied response for your `serverAuthUrl` webhook. */
+declare function createDeniedServerAuthResponse(reason?: string): ServerAuthDeniedResponse;
+/**
+ * Authenticate an incoming `serverAuthUrl` request and return the webhook response
+ * body Ark Notify expects.
+ */
+declare function handleServerAuth(options: HandleServerAuthOptions): Promise<ServerAuthResponse>;
+
+export { CreateAuthorizedServerAuthResponseOptions, HandleServerAuthOptions, ServerAuthApprovedResponse, ServerAuthDeniedResponse, ServerAuthRequest, ServerAuthResponse, buildConnectionToken, createAuthorizedServerAuthResponse, createDeniedServerAuthResponse, handleServerAuth, isValidClientId, parseServerAuthRequest };

package/dist/server/index.js

@@ -0,0 +1,121 @@
+import { createHmac } from 'crypto';
+
+// src/server-auth.ts
+var CLIENT_ID_PATTERN = /^[a-zA-Z0-9_\-.]{1,128}$/;
+var DEFAULT_TTL_SECONDS = 3600;
+var MAX_TTL_SECONDS = 86400;
+var DEFAULT_CAPABILITIES = {
+  subscribe: true,
+  publish: true,
+  presence: true
+};
+function isValidClientId(clientId) {
+  return typeof clientId === "string" && CLIENT_ID_PATTERN.test(clientId);
+}
+function normalizeCapabilities(capabilities) {
+  if (!capabilities || typeof capabilities !== "object") {
+    return { ...DEFAULT_CAPABILITIES };
+  }
+  return {
+    subscribe: capabilities.subscribe !== false,
+    publish: capabilities.publish !== false,
+    presence: capabilities.presence !== false
+  };
+}
+function resolveTokenTtl(ttl) {
+  if (ttl === void 0 || ttl === null) {
+    return DEFAULT_TTL_SECONDS;
+  }
+  if (!Number.isInteger(ttl) || ttl <= 0) {
+    throw new Error("ttl must be a positive integer (seconds)");
+  }
+  return Math.min(ttl, MAX_TTL_SECONDS);
+}
+function encodePayload(payload) {
+  return Buffer.from(JSON.stringify(payload)).toString("base64url");
+}
+function computeConnectionTokenSignature(secret, appKey, payloadEncoded) {
+  return createHmac("sha256", secret).update(`${appKey}.${payloadEncoded}`).digest("hex");
+}
+function buildConnectionToken(appKey, secret, options) {
+  if (!isValidClientId(options.clientId)) {
+    throw new Error("clientId must be 1-128 alphanumeric characters");
+  }
+  const payloadEncoded = encodePayload({
+    client_id: options.clientId,
+    exp: options.exp,
+    capabilities: normalizeCapabilities(options.capabilities)
+  });
+  const signature = computeConnectionTokenSignature(secret, appKey, payloadEncoded);
+  return `${appKey}.${payloadEncoded}.${signature}`;
+}
+function parseServerAuthRequest(body) {
+  if (!body || typeof body !== "object") {
+    return null;
+  }
+  const record = body;
+  const client_id = record.client_id ?? record.clientId;
+  if (!isValidClientId(client_id)) {
+    return null;
+  }
+  const user_data = record.user_data ?? record.userData;
+  const capabilities = record.capabilities;
+  const ttl = record.ttl;
+  return {
+    client_id,
+    user_data: user_data === void 0 ? null : user_data && typeof user_data === "object" ? user_data : null,
+    capabilities: capabilities && typeof capabilities === "object" ? capabilities : null,
+    ttl: typeof ttl === "number" ? ttl : null
+  };
+}
+function createAuthorizedServerAuthResponse(options) {
+  if (!isValidClientId(options.clientId)) {
+    throw new Error("clientId must be 1-128 alphanumeric characters");
+  }
+  const capabilities = normalizeCapabilities(options.capabilities);
+  const ttl = resolveTokenTtl(options.ttl);
+  if (options.credentials) {
+    const exp = Math.floor(Date.now() / 1e3) + ttl;
+    return {
+      token: buildConnectionToken(options.credentials.appKey, options.credentials.secret, {
+        clientId: options.clientId,
+        exp,
+        capabilities
+      })
+    };
+  }
+  return {
+    allowed: true,
+    client_id: options.clientId,
+    capabilities,
+    ttl
+  };
+}
+function createDeniedServerAuthResponse(reason) {
+  return reason ? { allowed: false, reason } : { allowed: false };
+}
+async function handleServerAuth(options) {
+  const decision = await options.isAuthorized(options.request);
+  if (decision === false) {
+    return createDeniedServerAuthResponse();
+  }
+  const clientId = decision.clientId ?? options.request.client_id;
+  if (!isValidClientId(clientId)) {
+    return createDeniedServerAuthResponse("invalid_client_id");
+  }
+  try {
+    return createAuthorizedServerAuthResponse({
+      clientId,
+      capabilities: decision.capabilities ?? options.request.capabilities ?? void 0,
+      ttl: decision.ttl ?? options.request.ttl ?? void 0,
+      credentials: options.credentials
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "invalid_request";
+    return createDeniedServerAuthResponse(message);
+  }
+}
+
+export { buildConnectionToken, createAuthorizedServerAuthResponse, createDeniedServerAuthResponse, handleServerAuth, isValidClientId, parseServerAuthRequest };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/server-auth.ts"],"names":[],"mappings":";;;AAYA,IAAM,iBAAA,GAAoB,0BAAA;AAC1B,IAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAM,eAAA,GAAkB,KAAA;AAExB,IAAM,oBAAA,GAA+C;AAAA,EACnD,SAAA,EAAW,IAAA;AAAA,EACX,OAAA,EAAS,IAAA;AAAA,EACT,QAAA,EAAU;AACZ,CAAA;AAEO,SAAS,gBAAgB,QAAA,EAAuC;AACrE,EAAA,OAAO,OAAO,QAAA,KAAa,QAAA,IAAY,iBAAA,CAAkB,KAAK,QAAQ,CAAA;AACxE;AAEA,SAAS,sBACP,YAAA,EACwB;AACxB,EAAA,IAAI,CAAC,YAAA,IAAgB,OAAO,YAAA,KAAiB,QAAA,EAAU;AACrD,IAAA,OAAO,EAAE,GAAG,oBAAA,EAAqB;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,aAAa,SAAA,KAAc,KAAA;AAAA,IACtC,OAAA,EAAS,aAAa,OAAA,KAAY,KAAA;AAAA,IAClC,QAAA,EAAU,aAAa,QAAA,KAAa;AAAA,GACtC;AACF;AAEA,SAAS,gBAAgB,GAAA,EAA6B;AACpD,EAAA,IAAI,GAAA,KAAQ,MAAA,IAAa,GAAA,KAAQ,IAAA,EAAM;AACrC,IAAA,OAAO,mBAAA;AAAA,EACT;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,SAAA,CAAU,GAAG,CAAA,IAAK,OAAO,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,EAC5D;AAEA,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,eAAe,CAAA;AACtC;AAEA,SAAS,cAAc,OAAA,EAA0C;AAC/D,EAAA,OAAO,MAAA,CAAO,KAAK,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA,CAAE,SAAS,WAAW,CAAA;AAClE;AAEA,SAAS,+BAAA,CACP,MAAA,EACA,MAAA,EACA,cAAA,EACQ;AACR,EAAA,OAAO,UAAA,CAAW,QAAA,EAAU,MAAM,CAAA,CAAE,MAAA,CAAO,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,cAAc,CAAA,CAAE,CAAA,CAAE,MAAA,CAAO,KAAK,CAAA;AACxF;AAGO,SAAS,oBAAA,CACd,MAAA,EACA,MAAA,EACA,OAAA,EAKQ;AACR,EAAA,IAAI,CAAC,eAAA,CAAgB,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EAClE;AAEA,EAAA,MAAM,iBAAiB,aAAA,CAAc;AAAA,IACnC,WAAW,OAAA,CAAQ,QAAA;AAAA,IACnB,KAAK,OAAA,CAAQ,GAAA;AAAA,IACb,YAAA,EAAc,qBAAA,CAAsB,OAAA,CAAQ,YAAY;AAAA,GACzD,CAAA;AAED,EAAA,MAAM,SAAA,GAAY,+BAAA,CAAgC,MAAA,EAAQ,MAAA,EAAQ,cAAc,CAAA;AAChF,EAAA,OAAO,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,cAAc,IAAI,SAAS,CAAA,CAAA;AACjD;AAMO,SAAS,uBAAuB,IAAA,EAAyC;AAC9E,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACrC,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,MAAA,GAAS,IAAA;AACf,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,MAAA,CAAO,QAAA;AAE7C,EAAA,IAAI,CAAC,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,MAAA,CAAO,QAAA;AAC7C,EAAA,MAAM,eAAe,MAAA,CAAO,YAAA;AAC5B,EAAA,MAAM,MAAM,MAAA,CAAO,GAAA;AAEnB,EAAA,OAAO;AAAA,IACL,SAAA;AAAA,IACA,SAAA,EACE,cAAc,MAAA,GACV,IAAA,GACA,aAAa,OAAO,SAAA,KAAc,WAC/B,SAAA,GACD,IAAA;AAAA,IACR,YAAA,EACE,YAAA,IAAgB,OAAO,YAAA,KAAiB,WACnC,YAAA,GACD,IAAA;AAAA,IACN,GAAA,EAAK,OAAO,GAAA,KAAQ,QAAA,GAAW,GAAA,GAAM;AAAA,GACvC;AACF;AAQO,SAAS,mCACd,OAAA,EAC4B;AAC5B,EAAA,IAAI,CAAC,eAAA,CAAgB,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EAClE;AAEA,EAAA,MAAM,YAAA,GAAe,qBAAA,CAAsB,OAAA,CAAQ,YAAY,CAAA;AAC/D,EAAA,MAAM,GAAA,GAAM,eAAA,CAAgB,OAAA,CAAQ,GAAG,CAAA;AAEvC,EAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAA;AAC5C,IAAA,OAAO;AAAA,MACL,OAAO,oBAAA,CAAqB,OAAA,CAAQ,YAAY,MAAA,EAAQ,OAAA,CAAQ,YAAY,MAAA,EAAQ;AAAA,QAClF,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,GAAA;AAAA,QACA;AAAA,OACD;AAAA,KACH;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,IAAA;AAAA,IACT,WAAW,OAAA,CAAQ,QAAA;AAAA,IACnB,YAAA;AAAA,IACA;AAAA,GACF;AACF;AAGO,SAAS,+BAA+B,MAAA,EAA2C;AACxF,EAAA,OAAO,MAAA,GAAS,EAAE,OAAA,EAAS,KAAA,EAAO,QAAO,GAAI,EAAE,SAAS,KAAA,EAAM;AAChE;AAMA,eAAsB,iBACpB,OAAA,EAC6B;AAC7B,EAAA,MAAM,QAAA,GAA+B,MAAM,OAAA,CAAQ,YAAA,CAAa,QAAQ,OAAO,CAAA;AAE/E,EAAA,IAAI,aAAa,KAAA,EAAO;AACtB,IAAA,OAAO,8BAAA,EAA+B;AAAA,EACxC;AAEA,EAAA,MAAM,QAAA,GAAW,QAAA,CAAS,QAAA,IAAY,OAAA,CAAQ,OAAA,CAAQ,SAAA;AACtD,EAAA,IAAI,CAAC,eAAA,CAAgB,QAAQ,CAAA,EAAG;AAC9B,IAAA,OAAO,+BAA+B,mBAAmB,CAAA;AAAA,EAC3D;AAEA,EAAA,IAAI;AACF,IAAA,OAAO,kCAAA,CAAmC;AAAA,MACxC,QAAA;AAAA,MACA,YAAA,EAAc,QAAA,CAAS,YAAA,IAAgB,OAAA,CAAQ,QAAQ,YAAA,IAAgB,KAAA,CAAA;AAAA,MACvE,GAAA,EAAK,QAAA,CAAS,GAAA,IAAO,OAAA,CAAQ,QAAQ,GAAA,IAAO,KAAA,CAAA;AAAA,MAC5C,aAAa,OAAA,CAAQ;AAAA,KACtB,CAAA;AAAA,EACH,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,OAAA,GAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,iBAAA;AACrD,IAAA,OAAO,+BAA+B,OAAO,CAAA;AAAA,EAC/C;AACF","file":"index.js","sourcesContent":["import { createHmac } from 'node:crypto'\nimport type {\n  ConnectionCapabilities,\n  CreateAuthorizedServerAuthResponseOptions,\n  HandleServerAuthOptions,\n  ServerAuthApprovedResponse,\n  ServerAuthDeniedResponse,\n  ServerAuthRequest,\n  ServerAuthResponse,\n  ServerAuthDecision,\n} from './types'\n\nconst CLIENT_ID_PATTERN = /^[a-zA-Z0-9_\\-.]{1,128}$/\nconst DEFAULT_TTL_SECONDS = 3600\nconst MAX_TTL_SECONDS = 86400\n\nconst DEFAULT_CAPABILITIES: ConnectionCapabilities = {\n  subscribe: true,\n  publish: true,\n  presence: true,\n}\n\nexport function isValidClientId(clientId: unknown): clientId is string {\n  return typeof clientId === 'string' && CLIENT_ID_PATTERN.test(clientId)\n}\n\nfunction normalizeCapabilities(\n  capabilities?: Partial<ConnectionCapabilities> | null\n): ConnectionCapabilities {\n  if (!capabilities || typeof capabilities !== 'object') {\n    return { ...DEFAULT_CAPABILITIES }\n  }\n\n  return {\n    subscribe: capabilities.subscribe !== false,\n    publish: capabilities.publish !== false,\n    presence: capabilities.presence !== false,\n  }\n}\n\nfunction resolveTokenTtl(ttl?: number | null): number {\n  if (ttl === undefined || ttl === null) {\n    return DEFAULT_TTL_SECONDS\n  }\n\n  if (!Number.isInteger(ttl) || ttl <= 0) {\n    throw new Error('ttl must be a positive integer (seconds)')\n  }\n\n  return Math.min(ttl, MAX_TTL_SECONDS)\n}\n\nfunction encodePayload(payload: Record<string, unknown>): string {\n  return Buffer.from(JSON.stringify(payload)).toString('base64url')\n}\n\nfunction computeConnectionTokenSignature(\n  secret: string,\n  appKey: string,\n  payloadEncoded: string\n): string {\n  return createHmac('sha256', secret).update(`${appKey}.${payloadEncoded}`).digest('hex')\n}\n\n/** Build a signed connection token in Ark Notify format. */\nexport function buildConnectionToken(\n  appKey: string,\n  secret: string,\n  options: {\n    clientId: string\n    exp: number\n    capabilities?: Partial<ConnectionCapabilities>\n  }\n): string {\n  if (!isValidClientId(options.clientId)) {\n    throw new Error('clientId must be 1-128 alphanumeric characters')\n  }\n\n  const payloadEncoded = encodePayload({\n    client_id: options.clientId,\n    exp: options.exp,\n    capabilities: normalizeCapabilities(options.capabilities),\n  })\n\n  const signature = computeConnectionTokenSignature(secret, appKey, payloadEncoded)\n  return `${appKey}.${payloadEncoded}.${signature}`\n}\n\n/**\n * Parse the JSON body Ark Notify sends to your `serverAuthUrl`.\n * Returns null when the payload is invalid.\n */\nexport function parseServerAuthRequest(body: unknown): ServerAuthRequest | null {\n  if (!body || typeof body !== 'object') {\n    return null\n  }\n\n  const record = body as Record<string, unknown>\n  const client_id = record.client_id ?? record.clientId\n\n  if (!isValidClientId(client_id)) {\n    return null\n  }\n\n  const user_data = record.user_data ?? record.userData\n  const capabilities = record.capabilities\n  const ttl = record.ttl\n\n  return {\n    client_id,\n    user_data:\n      user_data === undefined\n        ? null\n        : user_data && typeof user_data === 'object'\n          ? (user_data as Record<string, unknown>)\n          : null,\n    capabilities:\n      capabilities && typeof capabilities === 'object'\n        ? (capabilities as Partial<ConnectionCapabilities>)\n        : null,\n    ttl: typeof ttl === 'number' ? ttl : null,\n  }\n}\n\n/**\n * Build an approved response for your `serverAuthUrl` webhook.\n *\n * - Without `credentials`: returns `{ allowed: true, client_id, ... }` (option A).\n * - With `credentials`: returns `{ token }` with a pre-signed token (option B).\n */\nexport function createAuthorizedServerAuthResponse(\n  options: CreateAuthorizedServerAuthResponseOptions\n): ServerAuthApprovedResponse {\n  if (!isValidClientId(options.clientId)) {\n    throw new Error('clientId must be 1-128 alphanumeric characters')\n  }\n\n  const capabilities = normalizeCapabilities(options.capabilities)\n  const ttl = resolveTokenTtl(options.ttl)\n\n  if (options.credentials) {\n    const exp = Math.floor(Date.now() / 1000) + ttl\n    return {\n      token: buildConnectionToken(options.credentials.appKey, options.credentials.secret, {\n        clientId: options.clientId,\n        exp,\n        capabilities,\n      }),\n    }\n  }\n\n  return {\n    allowed: true,\n    client_id: options.clientId,\n    capabilities,\n    ttl,\n  }\n}\n\n/** Build a denied response for your `serverAuthUrl` webhook. */\nexport function createDeniedServerAuthResponse(reason?: string): ServerAuthDeniedResponse {\n  return reason ? { allowed: false, reason } : { allowed: false }\n}\n\n/**\n * Authenticate an incoming `serverAuthUrl` request and return the webhook response\n * body Ark Notify expects.\n */\nexport async function handleServerAuth(\n  options: HandleServerAuthOptions\n): Promise<ServerAuthResponse> {\n  const decision: ServerAuthDecision = await options.isAuthorized(options.request)\n\n  if (decision === false) {\n    return createDeniedServerAuthResponse()\n  }\n\n  const clientId = decision.clientId ?? options.request.client_id\n  if (!isValidClientId(clientId)) {\n    return createDeniedServerAuthResponse('invalid_client_id')\n  }\n\n  try {\n    return createAuthorizedServerAuthResponse({\n      clientId,\n      capabilities: decision.capabilities ?? options.request.capabilities ?? undefined,\n      ttl: decision.ttl ?? options.request.ttl ?? undefined,\n      credentials: options.credentials,\n    })\n  } catch (err) {\n    const message = err instanceof Error ? err.message : 'invalid_request'\n    return createDeniedServerAuthResponse(message)\n  }\n}\n"]}

package/dist/types-tQECeZab.d.cts

@@ -0,0 +1,257 @@
+type UserRole = 'SYSTEM_ADMIN' | 'ACCOUNT_ADMIN' | 'ACCOUNT_USER';
+interface User {
+    id: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+    role: UserRole;
+    createdAt: string;
+}
+interface ApiError {
+    error: string;
+    message: string;
+    reason?: string;
+    retryAfterSec?: number;
+}
+interface ConnectionCapabilities {
+    subscribe: boolean;
+    publish: boolean;
+    presence: boolean;
+}
+interface Application {
+    id: string;
+    name: string;
+    appKey: string;
+    tenantId: string;
+    authWebhookUrl: string | null;
+    requireClientAuth: boolean;
+    serverAuthUrl: string | null;
+    messageHistorySize: number;
+    createdAt: string;
+    updatedAt: string;
+    secret?: string;
+}
+interface CreateApplicationInput {
+    name: string;
+    authWebhookUrl?: string | null;
+    requireClientAuth?: boolean;
+    serverAuthUrl?: string | null;
+    messageHistorySize?: number;
+}
+interface UpdateApplicationInput {
+    name?: string;
+    authWebhookUrl?: string | null;
+    requireClientAuth?: boolean;
+    serverAuthUrl?: string | null;
+    messageHistorySize?: number;
+}
+interface LoginInput {
+    email: string;
+    password: string;
+}
+interface AuthResponse {
+    user: User;
+    token: string;
+}
+interface PublishEventInput {
+    channel: string;
+    event: string;
+    data?: unknown;
+}
+interface PublishEventResponse {
+    published: boolean;
+    channel: string;
+    event: string;
+}
+interface ChannelAuthInput {
+    socket_id?: string;
+    connection_id?: string;
+    channel_name: string;
+    user_data?: Record<string, unknown>;
+}
+interface ChannelAuthResponse {
+    auth: string;
+}
+interface ConnectionTokenInput {
+    client_id?: string;
+    clientId?: string;
+    user_data?: Record<string, unknown>;
+    userData?: Record<string, unknown>;
+    serverAuthUrl?: string | null;
+    server_auth_url?: string | null;
+    ttl?: number;
+    capabilities?: Partial<ConnectionCapabilities>;
+}
+interface ConnectionTokenResponse {
+    token: string;
+    client_id: string;
+    expires_at: number;
+    capabilities: ConnectionCapabilities;
+}
+/** Payload Ark Notify POSTs to your `serverAuthUrl`. */
+interface ServerAuthRequest {
+    client_id: string;
+    user_data?: Record<string, unknown> | null;
+    capabilities?: Partial<ConnectionCapabilities> | null;
+    ttl?: number | null;
+}
+/** Approve a connection token request (option A). */
+interface ServerAuthAllowedResponse {
+    allowed: true;
+    client_id: string;
+    capabilities?: ConnectionCapabilities;
+    ttl?: number;
+}
+/** Approve with a pre-signed token (option B). */
+interface ServerAuthTokenResponse {
+    token: string;
+}
+type ServerAuthApprovedResponse = ServerAuthAllowedResponse | ServerAuthTokenResponse;
+interface ServerAuthDeniedResponse {
+    allowed: false;
+    reason?: string;
+}
+type ServerAuthResponse = ServerAuthApprovedResponse | ServerAuthDeniedResponse;
+interface CreateAuthorizedServerAuthResponseOptions {
+    clientId: string;
+    capabilities?: Partial<ConnectionCapabilities>;
+    ttl?: number;
+    /** When provided, returns a pre-signed token instead of `{ allowed: true }`. */
+    credentials?: AppCredentials;
+}
+type ServerAuthDecision = false | {
+    clientId?: string;
+    capabilities?: Partial<ConnectionCapabilities>;
+    ttl?: number;
+};
+interface HandleServerAuthOptions {
+    request: ServerAuthRequest;
+    isAuthorized: (request: ServerAuthRequest) => ServerAuthDecision | Promise<ServerAuthDecision>;
+    credentials?: AppCredentials;
+}
+type ConnectionState = 'disconnected' | 'connecting' | 'connected' | 'reconnecting' | 'failed';
+interface ConnectedMessage {
+    type: 'connected';
+    connection_id: string;
+    client_id: string;
+    app_key: string;
+    authenticated: boolean;
+    channels?: string[];
+}
+interface EventMessage {
+    type: 'event';
+    channel: string;
+    event: string;
+    data: unknown;
+    clientId: string | null;
+    timestamp: number;
+}
+interface PresenceMemberInfo {
+    connectionId: string;
+    clientId: string;
+    data: Record<string, unknown>;
+    updatedAt: number;
+}
+type PresenceAction = 'enter' | 'leave' | 'update' | 'sync';
+interface PresenceMessage {
+    type: 'presence';
+    channel: string;
+    action: PresenceAction;
+    member: PresenceMemberInfo | null;
+    members: PresenceMemberInfo[] | null;
+    timestamp: number;
+}
+interface SubscribedMessage {
+    type: 'subscribed';
+    channel: string;
+}
+interface UnsubscribedMessage {
+    type: 'unsubscribed';
+    channel: string;
+}
+interface PublishedMessage {
+    type: 'published';
+    channel: string;
+    event: string;
+}
+interface PongMessage {
+    type: 'pong';
+    timestamp: number;
+}
+interface PingMessage {
+    type: 'ping';
+}
+interface ServerErrorMessage {
+    type: 'error';
+    code: string;
+    message: string;
+}
+interface PresenceUpdatedMessage {
+    type: 'presence_updated';
+    channel: string;
+    data: Record<string, unknown>;
+}
+interface PresenceLeftMessage {
+    type: 'presence_left';
+    channel: string;
+}
+type ServerMessage = ConnectedMessage | EventMessage | PresenceMessage | SubscribedMessage | UnsubscribedMessage | PublishedMessage | PongMessage | PingMessage | ServerErrorMessage | PresenceUpdatedMessage | PresenceLeftMessage;
+interface ArkNotifyClientConfig {
+    baseUrl?: string;
+    token?: string | (() => string | null | undefined);
+    fetch?: typeof fetch;
+}
+interface AppCredentials {
+    appKey: string;
+    secret: string;
+}
+type PrivateChannelAuthHandler = (channel: string, connectionId: string) => Promise<string>;
+interface ArkNotifyConnectionConfig {
+    baseUrl?: string;
+    appKey: string;
+    clientId?: string;
+    /** Signed connection token, or a resolver. Omit to auto-fetch when `clientId` is set. */
+    token?: string | (() => string | null | undefined);
+    /** App credentials for auto-fetching a connection token (backend-only when no serverAuthUrl). */
+    credentials?: AppCredentials;
+    /** Override server auth URL when auto-fetching a token; uses the application default when omitted. */
+    serverAuthUrl?: string | null;
+    /** Forwarded to the connection-token endpoint when auto-fetching a token. */
+    user_data?: Record<string, unknown>;
+    autoReconnect?: boolean;
+    reconnectDelayMs?: number;
+    maxReconnectDelayMs?: number;
+    onPrivateChannelAuth?: PrivateChannelAuthHandler;
+    fetch?: typeof fetch;
+    WebSocket?: typeof WebSocket;
+}
+interface SubscribeOptions {
+    history?: boolean;
+    presence?: boolean;
+    presence_data?: Record<string, unknown>;
+    auth?: string;
+}
+interface ArkNotifySSEConfig {
+    baseUrl?: string;
+    appKey: string;
+    channels: string[];
+    clientId?: string;
+    token?: string | (() => string | null | undefined);
+    auth?: Record<string, string>;
+    user_data?: Record<string, unknown>;
+    history?: boolean;
+    onPrivateChannelAuth?: PrivateChannelAuthHandler;
+    EventSource?: typeof EventSource;
+}
+interface ChannelEventHandler<T = unknown> {
+    (data: T, message: EventMessage): void;
+}
+interface ChannelHandlers {
+    [eventName: string]: ChannelEventHandler;
+}
+interface HealthResponse {
+    status: string;
+    uptime: number;
+}
+
+export type { AppCredentials as A, PublishedMessage as B, ConnectionTokenInput as C, ServerAuthApprovedResponse as D, EventMessage as E, ServerAuthDecision as F, ServerAuthDeniedResponse as G, HandleServerAuthOptions as H, ServerAuthRequest as I, ServerAuthResponse as J, ServerAuthTokenResponse as K, LoginInput as L, ServerErrorMessage as M, ServerMessage as N, SubscribeOptions as O, PingMessage as P, SubscribedMessage as Q, UpdateApplicationInput as R, ServerAuthAllowedResponse as S, User as T, UnsubscribedMessage as U, UserRole as V, ConnectionTokenResponse as a, ApiError as b, Application as c, ArkNotifyClientConfig as d, ArkNotifyConnectionConfig as e, ArkNotifySSEConfig as f, AuthResponse as g, ChannelAuthInput as h, ChannelAuthResponse as i, ChannelEventHandler as j, ChannelHandlers as k, ConnectedMessage as l, ConnectionCapabilities as m, ConnectionState as n, CreateApplicationInput as o, CreateAuthorizedServerAuthResponseOptions as p, HealthResponse as q, PongMessage as r, PresenceAction as s, PresenceLeftMessage as t, PresenceMemberInfo as u, PresenceMessage as v, PresenceUpdatedMessage as w, PrivateChannelAuthHandler as x, PublishEventInput as y, PublishEventResponse as z };