npm - @enbox/dwn-server - Versions diffs - 0.0.2 → 0.0.4 - Mend

@enbox/dwn-server 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/LICENSE +3 -2
package/README.md +115 -215
package/dist/esm/src/admin/activity-log.d.ts +44 -0
package/dist/esm/src/admin/activity-log.d.ts.map +1 -0
package/dist/esm/src/admin/activity-log.js +85 -0
package/dist/esm/src/admin/activity-log.js.map +1 -0
package/dist/esm/src/admin/admin-api.d.ts +61 -0
package/dist/esm/src/admin/admin-api.d.ts.map +1 -0
package/dist/esm/src/admin/admin-api.js +1047 -0
package/dist/esm/src/admin/admin-api.js.map +1 -0
package/dist/esm/src/admin/admin-auth.d.ts +9 -0
package/dist/esm/src/admin/admin-auth.d.ts.map +1 -0
package/dist/esm/src/admin/admin-auth.js +45 -0
package/dist/esm/src/admin/admin-auth.js.map +1 -0
package/dist/esm/src/admin/admin-store.d.ts +111 -0
package/dist/esm/src/admin/admin-store.d.ts.map +1 -0
package/dist/esm/src/admin/admin-store.js +376 -0
package/dist/esm/src/admin/admin-store.js.map +1 -0
package/dist/esm/src/admin/audit-log.d.ts +94 -0
package/dist/esm/src/admin/audit-log.d.ts.map +1 -0
package/dist/esm/src/admin/audit-log.js +220 -0
package/dist/esm/src/admin/audit-log.js.map +1 -0
package/dist/esm/src/admin/index.d.ts +10 -0
package/dist/esm/src/admin/index.d.ts.map +1 -0
package/dist/esm/src/admin/index.js +7 -0
package/dist/esm/src/admin/index.js.map +1 -0
package/dist/esm/src/admin/types.d.ts +306 -0
package/dist/esm/src/admin/types.d.ts.map +1 -0
package/dist/esm/src/admin/types.js +2 -0
package/dist/esm/src/admin/types.js.map +1 -0
package/dist/esm/src/admin/webhook-manager.d.ts +55 -0
package/dist/esm/src/admin/webhook-manager.d.ts.map +1 -0
package/dist/esm/src/admin/webhook-manager.js +184 -0
package/dist/esm/src/admin/webhook-manager.js.map +1 -0
package/dist/esm/src/config.d.ts +124 -9
package/dist/esm/src/config.d.ts.map +1 -1
package/dist/esm/src/config.js +155 -13
package/dist/esm/src/config.js.map +1 -1
package/dist/esm/src/connection/connection-manager.d.ts +32 -9
package/dist/esm/src/connection/connection-manager.d.ts.map +1 -1
package/dist/esm/src/connection/connection-manager.js +38 -5
package/dist/esm/src/connection/connection-manager.js.map +1 -1
package/dist/esm/src/connection/flow-controller.d.ts +53 -0
package/dist/esm/src/connection/flow-controller.d.ts.map +1 -0
package/dist/esm/src/connection/flow-controller.js +101 -0
package/dist/esm/src/connection/flow-controller.js.map +1 -0
package/dist/esm/src/connection/socket-connection.d.ts +54 -18
package/dist/esm/src/connection/socket-connection.d.ts.map +1 -1
package/dist/esm/src/connection/socket-connection.js +102 -40
package/dist/esm/src/connection/socket-connection.js.map +1 -1
package/dist/esm/src/delivery-service.d.ts +43 -0
package/dist/esm/src/delivery-service.d.ts.map +1 -0
package/dist/esm/src/delivery-service.js +574 -0
package/dist/esm/src/delivery-service.js.map +1 -0
package/dist/esm/src/dwn-error.d.ts +10 -1
package/dist/esm/src/dwn-error.d.ts.map +1 -1
package/dist/esm/src/dwn-error.js +9 -0
package/dist/esm/src/dwn-error.js.map +1 -1
package/dist/esm/src/dwn-server.d.ts +13 -6
package/dist/esm/src/dwn-server.d.ts.map +1 -1
package/dist/esm/src/dwn-server.js +199 -24
package/dist/esm/src/dwn-server.js.map +1 -1
package/dist/esm/src/http-api.d.ts +28 -13
package/dist/esm/src/http-api.d.ts.map +1 -1
package/dist/esm/src/http-api.js +649 -374
package/dist/esm/src/http-api.js.map +1 -1
package/dist/esm/src/index.d.ts +6 -2
package/dist/esm/src/index.d.ts.map +1 -1
package/dist/esm/src/index.js +4 -1
package/dist/esm/src/index.js.map +1 -1
package/dist/esm/src/json-rpc-api.js +2 -1
package/dist/esm/src/json-rpc-api.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/dwn/process-message.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/dwn/process-message.js +109 -7
package/dist/esm/src/json-rpc-handlers/dwn/process-message.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/ack.d.ts +20 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.d.ts.map +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.js +41 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.js.map +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/close.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/close.js +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/close.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/index.d.ts +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/index.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/index.js +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/index.js.map +1 -1
package/dist/esm/src/lib/json-rpc-router.d.ts +25 -8
package/dist/esm/src/lib/json-rpc-router.d.ts.map +1 -1
package/dist/esm/src/lib/json-rpc-router.js.map +1 -1
package/dist/esm/src/lib/sql-utils.d.ts +6 -0
package/dist/esm/src/lib/sql-utils.d.ts.map +1 -0
package/dist/esm/src/lib/sql-utils.js +8 -0
package/dist/esm/src/lib/sql-utils.js.map +1 -0
package/dist/esm/src/main.js +0 -6
package/dist/esm/src/main.js.map +1 -1
package/dist/esm/src/message-processed-hook.d.ts +35 -0
package/dist/esm/src/message-processed-hook.d.ts.map +1 -0
package/dist/esm/src/message-processed-hook.js +2 -0
package/dist/esm/src/message-processed-hook.js.map +1 -0
package/dist/esm/src/metrics.d.ts +14 -2
package/dist/esm/src/metrics.d.ts.map +1 -1
package/dist/esm/src/metrics.js +41 -1
package/dist/esm/src/metrics.js.map +1 -1
package/dist/esm/src/plugins/event-log-nats.d.ts +25 -0
package/dist/esm/src/plugins/event-log-nats.d.ts.map +1 -0
package/dist/esm/src/plugins/event-log-nats.js +379 -0
package/dist/esm/src/plugins/event-log-nats.js.map +1 -0
package/dist/esm/src/rate-limiter.d.ts +60 -0
package/dist/esm/src/rate-limiter.d.ts.map +1 -0
package/dist/esm/src/rate-limiter.js +116 -0
package/dist/esm/src/rate-limiter.js.map +1 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.d.ts +53 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.d.ts.map +1 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.js +90 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.js.map +1 -0
package/dist/esm/src/registration/open-auth-handler.d.ts +37 -0
package/dist/esm/src/registration/open-auth-handler.d.ts.map +1 -0
package/dist/esm/src/registration/open-auth-handler.js +214 -0
package/dist/esm/src/registration/open-auth-handler.js.map +1 -0
package/dist/esm/src/registration/proof-of-work-manager.d.ts +1 -1
package/dist/esm/src/registration/proof-of-work-manager.d.ts.map +1 -1
package/dist/esm/src/registration/proof-of-work-manager.js +3 -3
package/dist/esm/src/registration/proof-of-work-manager.js.map +1 -1
package/dist/esm/src/registration/provider-auth-plugin.d.ts +46 -0
package/dist/esm/src/registration/provider-auth-plugin.d.ts.map +1 -0
package/dist/esm/src/registration/provider-auth-plugin.js +29 -0
package/dist/esm/src/registration/provider-auth-plugin.js.map +1 -0
package/dist/esm/src/registration/registration-manager.d.ts +28 -5
package/dist/esm/src/registration/registration-manager.d.ts.map +1 -1
package/dist/esm/src/registration/registration-manager.js +83 -12
package/dist/esm/src/registration/registration-manager.js.map +1 -1
package/dist/esm/src/registration/registration-store.d.ts +83 -3
package/dist/esm/src/registration/registration-store.d.ts.map +1 -1
package/dist/esm/src/registration/registration-store.js +248 -11
package/dist/esm/src/registration/registration-store.js.map +1 -1
package/dist/esm/src/storage.d.ts +5 -5
package/dist/esm/src/storage.d.ts.map +1 -1
package/dist/esm/src/storage.js +105 -24
package/dist/esm/src/storage.js.map +1 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.d.ts.map +1 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.js +11 -3
package/dist/esm/src/web5-connect/sql-ttl-cache.js.map +1 -1
package/dist/esm/src/web5-connect/web5-connect-server.d.ts.map +1 -1
package/dist/esm/src/web5-connect/web5-connect-server.js +2 -2
package/dist/esm/src/web5-connect/web5-connect-server.js.map +1 -1
package/dist/esm/src/ws-api.d.ts +18 -4
package/dist/esm/src/ws-api.d.ts.map +1 -1
package/dist/esm/src/ws-api.js +12 -16
package/dist/esm/src/ws-api.js.map +1 -1
package/package.json +34 -53
package/src/admin/activity-log.ts +100 -0
package/src/admin/admin-api.ts +1308 -0
package/src/admin/admin-auth.ts +56 -0
package/src/admin/admin-store.ts +515 -0
package/src/admin/audit-log.ts +327 -0
package/src/admin/index.ts +34 -0
package/src/admin/types.ts +352 -0
package/src/admin/webhook-manager.ts +245 -0
package/src/config.ts +190 -22
package/src/connection/connection-manager.ts +67 -17
package/src/connection/flow-controller.ts +117 -0
package/src/connection/socket-connection.ts +144 -67
package/src/delivery-service.ts +740 -0
package/src/dwn-error.ts +11 -2
package/src/dwn-server.ts +254 -39
package/src/http-api.ts +736 -392
package/src/index.ts +13 -2
package/src/json-rpc-api.ts +2 -1
package/src/json-rpc-handlers/dwn/process-message.ts +149 -15
package/src/json-rpc-handlers/subscription/ack.ts +63 -0
package/src/json-rpc-handlers/subscription/close.ts +5 -9
package/src/json-rpc-handlers/subscription/index.ts +1 -0
package/src/lib/json-rpc-router.ts +26 -11
package/src/lib/sql-utils.ts +7 -0
package/src/main.ts +0 -8
package/src/message-processed-hook.ts +33 -0
package/src/metrics.ts +57 -8
package/src/plugins/event-log-nats.ts +466 -0
package/src/process-handlers.ts +5 -5
package/src/rate-limiter.ts +143 -0
package/src/registration/jwt-provider-auth-plugin.ts +119 -0
package/src/registration/open-auth-handler.ts +263 -0
package/src/registration/proof-of-work-manager.ts +11 -10
package/src/registration/provider-auth-plugin.ts +84 -0
package/src/registration/registration-manager.ts +129 -31
package/src/registration/registration-store.ts +332 -22
package/src/storage.ts +136 -40
package/src/web5-connect/sql-ttl-cache.ts +12 -5
package/src/web5-connect/web5-connect-server.ts +9 -8
package/src/ws-api.ts +39 -26
package/dist/cjs/index.js +0 -6811
package/dist/cjs/package.json +0 -1
package/dist/esm/src/json-rpc-socket.d.ts +0 -39
package/dist/esm/src/json-rpc-socket.d.ts.map +0 -1
package/dist/esm/src/json-rpc-socket.js +0 -125
package/dist/esm/src/json-rpc-socket.js.map +0 -1
package/dist/esm/src/lib/http-server-shutdown-handler.d.ts +0 -10
package/dist/esm/src/lib/http-server-shutdown-handler.d.ts.map +0 -1
package/dist/esm/src/lib/http-server-shutdown-handler.js +0 -65
package/dist/esm/src/lib/http-server-shutdown-handler.js.map +0 -1
package/dist/esm/src/lib/json-rpc.d.ts +0 -54
package/dist/esm/src/lib/json-rpc.d.ts.map +0 -1
package/dist/esm/src/lib/json-rpc.js +0 -60
package/dist/esm/src/lib/json-rpc.js.map +0 -1
package/dist/esm/src/registration/proof-of-work-types.d.ts +0 -8
package/dist/esm/src/registration/proof-of-work-types.d.ts.map +0 -1
package/dist/esm/src/registration/proof-of-work-types.js +0 -2
package/dist/esm/src/registration/proof-of-work-types.js.map +0 -1
package/dist/esm/src/registration/registration-types.d.ts +0 -18
package/dist/esm/src/registration/registration-types.d.ts.map +0 -1
package/dist/esm/src/registration/registration-types.js +0 -2
package/dist/esm/src/registration/registration-types.js.map +0 -1
package/dist/esm/tests/common-scenario-validator.d.ts +0 -11
package/dist/esm/tests/common-scenario-validator.d.ts.map +0 -1
package/dist/esm/tests/common-scenario-validator.js +0 -114
package/dist/esm/tests/common-scenario-validator.js.map +0 -1
package/dist/esm/tests/connection/connection-manager.spec.d.ts +0 -2
package/dist/esm/tests/connection/connection-manager.spec.d.ts.map +0 -1
package/dist/esm/tests/connection/connection-manager.spec.js +0 -47
package/dist/esm/tests/connection/connection-manager.spec.js.map +0 -1
package/dist/esm/tests/connection/socket-connection.spec.d.ts +0 -2
package/dist/esm/tests/connection/socket-connection.spec.d.ts.map +0 -1
package/dist/esm/tests/connection/socket-connection.spec.js +0 -125
package/dist/esm/tests/connection/socket-connection.spec.js.map +0 -1
package/dist/esm/tests/cors/http-api.browser.d.ts +0 -2
package/dist/esm/tests/cors/http-api.browser.d.ts.map +0 -1
package/dist/esm/tests/cors/http-api.browser.js +0 -60
package/dist/esm/tests/cors/http-api.browser.js.map +0 -1
package/dist/esm/tests/cors/ping.browser.d.ts +0 -2
package/dist/esm/tests/cors/ping.browser.d.ts.map +0 -1
package/dist/esm/tests/cors/ping.browser.js +0 -7
package/dist/esm/tests/cors/ping.browser.js.map +0 -1
package/dist/esm/tests/dwn-process-message.spec.d.ts +0 -2
package/dist/esm/tests/dwn-process-message.spec.d.ts.map +0 -1
package/dist/esm/tests/dwn-process-message.spec.js +0 -172
package/dist/esm/tests/dwn-process-message.spec.js.map +0 -1
package/dist/esm/tests/dwn-server.spec.d.ts +0 -2
package/dist/esm/tests/dwn-server.spec.d.ts.map +0 -1
package/dist/esm/tests/dwn-server.spec.js +0 -49
package/dist/esm/tests/dwn-server.spec.js.map +0 -1
package/dist/esm/tests/http-api.spec.d.ts +0 -2
package/dist/esm/tests/http-api.spec.d.ts.map +0 -1
package/dist/esm/tests/http-api.spec.js +0 -775
package/dist/esm/tests/http-api.spec.js.map +0 -1
package/dist/esm/tests/json-rpc-socket.spec.d.ts +0 -2
package/dist/esm/tests/json-rpc-socket.spec.d.ts.map +0 -1
package/dist/esm/tests/json-rpc-socket.spec.js +0 -225
package/dist/esm/tests/json-rpc-socket.spec.js.map +0 -1
package/dist/esm/tests/plugins/data-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/data-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/data-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/data-store-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/event-log-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/event-log-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/event-log-sqlite.js +0 -23
package/dist/esm/tests/plugins/event-log-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/event-stream-in-memory.d.ts +0 -17
package/dist/esm/tests/plugins/event-stream-in-memory.d.ts.map +0 -1
package/dist/esm/tests/plugins/event-stream-in-memory.js +0 -21
package/dist/esm/tests/plugins/event-stream-in-memory.js.map +0 -1
package/dist/esm/tests/plugins/message-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/message-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/message-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/message-store-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/resumable-task-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/resumable-task-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/resumable-task-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/resumable-task-store-sqlite.js.map +0 -1
package/dist/esm/tests/process-handler.spec.d.ts +0 -2
package/dist/esm/tests/process-handler.spec.d.ts.map +0 -1
package/dist/esm/tests/process-handler.spec.js +0 -60
package/dist/esm/tests/process-handler.spec.js.map +0 -1
package/dist/esm/tests/registration/proof-of-work-manager.spec.d.ts +0 -2
package/dist/esm/tests/registration/proof-of-work-manager.spec.d.ts.map +0 -1
package/dist/esm/tests/registration/proof-of-work-manager.spec.js +0 -157
package/dist/esm/tests/registration/proof-of-work-manager.spec.js.map +0 -1
package/dist/esm/tests/rpc-subscribe-close.spec.d.ts +0 -2
package/dist/esm/tests/rpc-subscribe-close.spec.d.ts.map +0 -1
package/dist/esm/tests/rpc-subscribe-close.spec.js +0 -81
package/dist/esm/tests/rpc-subscribe-close.spec.js.map +0 -1
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.js +0 -73
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.js.map +0 -1
package/dist/esm/tests/scenarios/registration.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/registration.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/registration.spec.js +0 -507
package/dist/esm/tests/scenarios/registration.spec.js.map +0 -1
package/dist/esm/tests/scenarios/web5-connect.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/web5-connect.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/web5-connect.spec.js +0 -137
package/dist/esm/tests/scenarios/web5-connect.spec.js.map +0 -1
package/dist/esm/tests/test-dwn.d.ts +0 -7
package/dist/esm/tests/test-dwn.d.ts.map +0 -1
package/dist/esm/tests/test-dwn.js +0 -34
package/dist/esm/tests/test-dwn.js.map +0 -1
package/dist/esm/tests/utils.d.ts +0 -46
package/dist/esm/tests/utils.d.ts.map +0 -1
package/dist/esm/tests/utils.js +0 -116
package/dist/esm/tests/utils.js.map +0 -1
package/dist/esm/tests/ws-api.spec.d.ts +0 -2
package/dist/esm/tests/ws-api.spec.d.ts.map +0 -1
package/dist/esm/tests/ws-api.spec.js +0 -327
package/dist/esm/tests/ws-api.spec.js.map +0 -1
package/src/json-rpc-socket.ts +0 -155
package/src/lib/http-server-shutdown-handler.ts +0 -79
package/src/lib/json-rpc.ts +0 -126
package/src/registration/proof-of-work-types.ts +0 -7
package/src/registration/registration-types.ts +0 -18

package/src/registration/jwt-provider-auth-plugin.ts ADDED Viewed

@@ -0,0 +1,119 @@
+import type { ProviderAuthPlugin, ProviderAuthValidationResult } from './provider-auth-plugin.js';
+import * as jose from 'jose';
+import log from 'loglevel';
+/**
+ * Options for creating a {@link JwtProviderAuthPlugin}.
+ * Exactly one of `secret` or `jwksUrl` must be provided.
+ */
+export type JwtProviderAuthPluginOptions = {
+  /** HMAC shared secret for HS256/HS384/HS512 tokens. */
+  secret? : string;
+  /** JWKS endpoint URL for RS256/ES256/EdDSA tokens. */
+  jwksUrl? : string;
+  /** Expected JWT `iss` claim. If set, tokens without a matching issuer are rejected. */
+  issuer? : string;
+  /** Expected JWT `aud` claim. If set, tokens without a matching audience are rejected. */
+  audience? : string;
+};
+/**
+ * Built-in {@link ProviderAuthPlugin} that validates JWT registration tokens.
+ *
+ * Supports two modes:
+ * - **HMAC secret** (`DWN_PROVIDER_AUTH_JWT_SECRET`): symmetric HS256 verification.
+ * - **JWKS URL** (`DWN_PROVIDER_AUTH_JWT_JWKS_URL`): asymmetric verification via
+ *   a remote JWKS endpoint (RS256, ES256, EdDSA, etc.). Keys are cached and
+ *   rotated automatically by `jose`.
+ *
+ * The JWT payload may include:
+ * - `sub` — mapped to `accountId` in the validation result.
+ * - `metadata` — arbitrary provider-defined object stored with the tenant.
+ *
+ * This plugin ships with `@enbox/dwn-server` and requires no external code.
+ * Providers who need custom validation logic can implement their own
+ * {@link ProviderAuthPlugin} instead.
+ */
+export class JwtProviderAuthPlugin implements ProviderAuthPlugin {
+  #getKey: Uint8Array | jose.JWTVerifyGetKey;
+  #issuer: string | undefined;
+  #audience: string | undefined;
+  private constructor(
+    getKey: Uint8Array | jose.JWTVerifyGetKey,
+    issuer?: string,
+    audience?: string,
+  ) {
+    this.#getKey = getKey;
+    this.#issuer = issuer;
+    this.#audience = audience;
+  }
+  /**
+   * Create a {@link JwtProviderAuthPlugin} from options.
+   *
+   * @param options - Must include exactly one of `secret` or `jwksUrl`.
+   * @throws If neither `secret` nor `jwksUrl` is provided.
+   */
+  public static async create(options: JwtProviderAuthPluginOptions): Promise<JwtProviderAuthPlugin> {
+    if (!options.secret && !options.jwksUrl) {
+      throw new Error(
+        'JwtProviderAuthPlugin: exactly one of `secret` or `jwksUrl` must be provided.',
+      );
+    }
+    let getKey: any;
+    if (options.secret) {
+      getKey = new TextEncoder().encode(options.secret);
+    } else {
+      getKey = jose.createRemoteJWKSet(new URL(options.jwksUrl!));
+    }
+    return new JwtProviderAuthPlugin(getKey, options.issuer, options.audience);
+  }
+  /**
+   * Create a {@link JwtProviderAuthPlugin} from environment variables.
+   *
+   * Reads `DWN_PROVIDER_AUTH_JWT_SECRET`, `DWN_PROVIDER_AUTH_JWT_JWKS_URL`,
+   * and optionally `DWN_PROVIDER_AUTH_JWT_ISSUER` / `DWN_PROVIDER_AUTH_JWT_AUDIENCE`.
+   */
+  public static async fromEnv(): Promise<JwtProviderAuthPlugin> {
+    return JwtProviderAuthPlugin.create({
+      secret   : process.env.DWN_PROVIDER_AUTH_JWT_SECRET,
+      jwksUrl  : process.env.DWN_PROVIDER_AUTH_JWT_JWKS_URL,
+      issuer   : process.env.DWN_PROVIDER_AUTH_JWT_ISSUER,
+      audience : process.env.DWN_PROVIDER_AUTH_JWT_AUDIENCE,
+    });
+  }
+  /** @inheritdoc */
+  public async validateRegistrationToken(token: string): Promise<ProviderAuthValidationResult> {
+    try {
+      const verifyOptions: jose.JWTVerifyOptions = {};
+      if (this.#issuer !== undefined) {
+        verifyOptions.issuer = this.#issuer;
+      }
+      if (this.#audience !== undefined) {
+        verifyOptions.audience = this.#audience;
+      }
+      const { payload } = await jose.jwtVerify(token, this.#getKey as any, verifyOptions);
+      return {
+        isValid   : true,
+        accountId : typeof payload.sub === 'string' ? payload.sub : undefined,
+        metadata  : typeof payload.metadata === 'object' && payload.metadata !== null
+          ? payload.metadata as Record<string, unknown>
+          : undefined,
+      };
+    } catch (error) {
+      log.debug('JWT validation failed:', (error as Error).message);
+      return {
+        isValid : false,
+        detail  : (error as Error).message,
+      };
+    }
+  }
+}

package/src/registration/open-auth-handler.ts ADDED Viewed

@@ -0,0 +1,263 @@
+import * as jose from 'jose';
+import log from 'loglevel';
+/**
+ * Built-in "open auth" handler for DWN servers that want registration
+ * without any user authentication (open-to-all).
+ *
+ * Implements the provider-auth-v0 authorize / token / refresh endpoints
+ * locally on the DWN server. The authorize endpoint immediately returns
+ * an authorization code (no user interaction), the token endpoint exchanges
+ * it for a JWT registration token, and the refresh endpoint issues a new token.
+ *
+ * This is the simplest possible auth backend — suitable for free/public DWN
+ * providers. Providers who want real authentication (passkey, OIDC, etc.)
+ * host their own auth service and point `providerAuth.authorizeUrl` /
+ * `tokenUrl` to it instead.
+ *
+ * The JWTs issued here are verified by {@link JwtProviderAuthPlugin} using
+ * the same shared secret (`DWN_PROVIDER_AUTH_JWT_SECRET`).
+ */
+/**
+ * Maximum number of pending authorization codes held in memory.
+ * When the limit is reached, new authorize requests are rejected with 503.
+ */
+const MAX_PENDING_CODES = 10_000;
+/** Interval (ms) at which expired authorization codes are purged. */
+const CLEANUP_INTERVAL_MS = 60_000;
+export class OpenAuthHandler {
+  #secret: Uint8Array;
+  #issuer: string;
+  /** Pending authorization codes. Maps code → { redirectUri, expiresAt }. */
+  #pendingCodes: Map<string, { redirectUri: string; expiresAt: number }>;
+  /** Registration token TTL in seconds. Default: 1 year. */
+  #tokenTtlSeconds: number;
+  /** Periodic cleanup timer for expired codes. */
+  #cleanupTimer: ReturnType<typeof setInterval>;
+  private constructor(secret: Uint8Array, issuer: string, tokenTtlSeconds: number) {
+    this.#secret = secret;
+    this.#issuer = issuer;
+    this.#pendingCodes = new Map();
+    this.#tokenTtlSeconds = tokenTtlSeconds;
+    // Periodically purge expired codes so memory does not grow unbounded
+    // even when no new authorize requests arrive.
+    this.#cleanupTimer = setInterval(() => this.#cleanExpiredCodes(), CLEANUP_INTERVAL_MS);
+    // Allow the process to exit even if the timer is still running.
+    if (this.#cleanupTimer.unref) {
+      this.#cleanupTimer.unref();
+    }
+  }
+  /**
+   * Create an {@link OpenAuthHandler}.
+   *
+   * @param secret - HMAC shared secret (same as `DWN_PROVIDER_AUTH_JWT_SECRET`).
+   * @param issuer - JWT issuer claim (typically the DWN server's base URL).
+   * @param tokenTtlSeconds - Registration token lifetime in seconds. Default: 1 year.
+   */
+  public static create(secret: string, issuer: string, tokenTtlSeconds = 365 * 24 * 60 * 60): OpenAuthHandler {
+    return new OpenAuthHandler(
+      new TextEncoder().encode(secret),
+      issuer,
+      tokenTtlSeconds,
+    );
+  }
+  /**
+   * Handle `GET /provider-auth/authorize`.
+   *
+   * In open-auth mode this immediately generates a code and redirects back
+   * to the `redirect_uri` with `code` and `state` query parameters.
+   * No user interaction is required.
+   */
+  public handleAuthorize(url: URL): Response {
+    const redirectUri = url.searchParams.get('redirect_uri');
+    const state = url.searchParams.get('state');
+    if (!redirectUri) {
+      return Response.json(
+        { error: 'missing redirect_uri parameter' },
+        { status: 400 },
+      );
+    }
+    // Reject new codes when the map is at capacity to prevent memory exhaustion.
+    if (this.#pendingCodes.size >= MAX_PENDING_CODES) {
+      log.warn(`OpenAuthHandler: pending codes map is full (${MAX_PENDING_CODES}), rejecting authorize request`);
+      return Response.json(
+        { error: 'server is busy, try again later' },
+        { status: 503 },
+      );
+    }
+    // Generate a random authorization code.
+    const code = crypto.randomUUID();
+    // Store the code with a 10-minute expiry.
+    this.#pendingCodes.set(code, {
+      redirectUri,
+      expiresAt: Date.now() + 10 * 60 * 1000,
+    });
+    // Periodically clean up expired codes (simple inline sweep).
+    this.#cleanExpiredCodes();
+    // Build redirect URL.
+    const redirect = new URL(redirectUri);
+    redirect.searchParams.set('code', code);
+    if (state) {
+      redirect.searchParams.set('state', state);
+    }
+    log.debug(`OpenAuthHandler: issued code ${code.slice(0, 8)}… for redirect to ${redirectUri}`);
+    return Response.json({
+      code,
+      state       : state ?? undefined,
+      redirectUri : redirect.toString(),
+    });
+  }
+  /**
+   * Handle `POST /provider-auth/token`.
+   *
+   * Exchanges an authorization code for a JWT registration token.
+   * Request body: `{ code: string, redirectUri: string }`.
+   */
+  public async handleToken(req: Request): Promise<Response> {
+    let body: { code?: string; redirectUri?: string };
+    try {
+      body = await req.json() as { code?: string; redirectUri?: string };
+    } catch {
+      return Response.json({ error: 'invalid JSON body' }, { status: 400 });
+    }
+    const { code, redirectUri } = body;
+    if (!code || !redirectUri) {
+      return Response.json(
+        { error: 'missing code or redirectUri' },
+        { status: 400 },
+      );
+    }
+    // Validate the authorization code.
+    const pending = this.#pendingCodes.get(code);
+    if (!pending) {
+      return Response.json({ error: 'invalid or expired code' }, { status: 400 });
+    }
+    if (pending.redirectUri !== redirectUri) {
+      return Response.json({ error: 'redirect_uri mismatch' }, { status: 400 });
+    }
+    if (Date.now() > pending.expiresAt) {
+      this.#pendingCodes.delete(code);
+      return Response.json({ error: 'code expired' }, { status: 400 });
+    }
+    // Consume the code (one-time use).
+    this.#pendingCodes.delete(code);
+    // Generate an account ID for this session (open auth = anonymous accounts).
+    const accountId = crypto.randomUUID();
+    // Issue JWT registration token.
+    const registrationToken = await this.#signToken(accountId, this.#tokenTtlSeconds);
+    // Issue refresh token with longer TTL (2x).
+    const refreshToken = await this.#signToken(accountId, this.#tokenTtlSeconds * 2, 'refresh');
+    log.debug(`OpenAuthHandler: exchanged code for account ${accountId.slice(0, 8)}…`);
+    return Response.json({
+      registrationToken,
+      refreshToken,
+      expiresIn : this.#tokenTtlSeconds,
+      tokenType : 'bearer',
+    });
+  }
+  /**
+   * Handle `POST /provider-auth/refresh`.
+   *
+   * Exchanges a refresh token for a new registration token.
+   * Request body: `{ refreshToken: string }`.
+   */
+  public async handleRefresh(req: Request): Promise<Response> {
+    let body: { refreshToken?: string };
+    try {
+      body = await req.json() as { refreshToken?: string };
+    } catch {
+      return Response.json({ error: 'invalid JSON body' }, { status: 400 });
+    }
+    if (!body.refreshToken) {
+      return Response.json({ error: 'missing refreshToken' }, { status: 400 });
+    }
+    // Verify the refresh token.
+    let payload: jose.JWTPayload;
+    try {
+      const result = await jose.jwtVerify(body.refreshToken, this.#secret, {
+        issuer: this.#issuer,
+      });
+      payload = result.payload;
+    } catch (error) {
+      return Response.json(
+        { error: `invalid refresh token: ${(error as Error).message}` },
+        { status: 400 },
+      );
+    }
+    if (payload.purpose !== 'refresh') {
+      return Response.json({ error: 'token is not a refresh token' }, { status: 400 });
+    }
+    const accountId = payload.sub ?? crypto.randomUUID();
+    // Issue new tokens.
+    const registrationToken = await this.#signToken(accountId, this.#tokenTtlSeconds);
+    const refreshToken = await this.#signToken(accountId, this.#tokenTtlSeconds * 2, 'refresh');
+    log.debug(`OpenAuthHandler: refreshed token for account ${accountId.slice(0, 8)}…`);
+    return Response.json({
+      registrationToken,
+      refreshToken,
+      expiresIn : this.#tokenTtlSeconds,
+      tokenType : 'bearer',
+    });
+  }
+  /** Sign a JWT with the shared secret. */
+  async #signToken(accountId: string, ttlSeconds: number, purpose = 'registration'): Promise<string> {
+    return new jose.SignJWT({ purpose })
+      .setProtectedHeader({ alg: 'HS256' })
+      .setIssuer(this.#issuer)
+      .setAudience(this.#issuer)
+      .setSubject(accountId)
+      .setIssuedAt()
+      .setExpirationTime(`${ttlSeconds}s`)
+      .sign(this.#secret);
+  }
+  /** Stops the periodic cleanup timer and clears all pending codes. */
+  public destroy(): void {
+    clearInterval(this.#cleanupTimer);
+    this.#pendingCodes.clear();
+  }
+  /** Remove expired authorization codes from the pending map. */
+  #cleanExpiredCodes(): void {
+    const now = Date.now();
+    for (const [code, data] of this.#pendingCodes) {
+      if (now > data.expiresAt) {
+        this.#pendingCodes.delete(code);
+      }
+    }
+  }
+}

package/src/registration/proof-of-work-manager.ts CHANGED Viewed

@@ -1,6 +1,7 @@
-import { DwnServerError, DwnServerErrorCode } from "../dwn-error.js";
-import type { ProofOfWorkChallengeModel } from "./proof-of-work-types.js";
-import { ProofOfWork } from "./proof-of-work.js";
+import type { ProofOfWorkChallengeModel } from '@enbox/dwn-clients';
+import { ProofOfWork } from './proof-of-work.js';
+import { DwnServerError, DwnServerErrorCode } from '../dwn-error.js';
 /**
  * Manages proof-of-work challenge difficulty and lifecycle based on solve rate.
@@ -18,7 +19,7 @@ export class ProofOfWorkManager {
   };
   // There is opportunity to improve implementation here.
-  // TODO: https://github.com/TBD54566975/dwn-server/issues/101
+  // TODO: https://github.com/enboxorg/enbox/issues/101
   private proofOfWorkOfLastMinute: Map<string, number> = new Map(); // proofOfWorkId -> timestamp of proof-of-work
   // Seed to generate the challenge nonce from, this allows all DWN instances in a cluster to generate the same challenge.
@@ -122,8 +123,8 @@ export class ProofOfWorkManager {
   public getProofOfWorkChallenge(): ProofOfWorkChallengeModel {
     return {
-      challengeNonce: this.challengeNonces.currentChallengeNonce,
-      maximumAllowedHashValue: ProofOfWorkManager.bigIntToHexString(this.currentMaximumAllowedHashValue),
+      challengeNonce          : this.challengeNonces.currentChallengeNonce,
+      maximumAllowedHashValue : ProofOfWorkManager.bigIntToHexString(this.currentMaximumAllowedHashValue),
     };
   }
@@ -228,7 +229,7 @@ export class ProofOfWorkManager {
   /**
    * Refreshes the difficulty by changing the max hash value.
    * The higher the number, the easier. Scale 1 (hardest) to 2^256 (easiest), represented in HEX.
-   *
+   *
    * If solve rate rate is higher than expected, the difficulty will increase rapidly.
    * If solve rate is lower than expected, the difficulty will decrease gradually.
    * The difficulty will never be lower than the initial difficulty.
@@ -247,16 +248,16 @@ export class ProofOfWorkManager {
     //       and harder difficulty is represented by a smaller max allowed hash value.
     if (latestSolveCountPerMinute > this.desiredSolveCountPerMinute) {
       // if solve rate is higher than desired, make difficulty harder by making the max allowed hash value smaller
       const currentSolveRateInFractionOfDesiredSolveRate = latestSolveCountPerMinute / this.desiredSolveCountPerMinute;
       const newMaximumAllowedHashValueAsBigIntPriorToMultiplierAdjustment
-        = (this.currentMaximumAllowedHashValueAsBigInt * BigInt(scaleFactor)) /
+        = (this.currentMaximumAllowedHashValueAsBigInt * BigInt(scaleFactor)) /
           (BigInt(Math.floor(currentSolveRateInFractionOfDesiredSolveRate * this.difficultyIncreaseMultiplier * scaleFactor)));
       const hashValueDecreaseAmountPriorToEvaluationFrequencyAdjustment
         = (this.currentMaximumAllowedHashValueAsBigInt - newMaximumAllowedHashValueAsBigIntPriorToMultiplierAdjustment) *
           (BigInt(Math.floor(this.difficultyIncreaseMultiplier * scaleFactor)) / BigInt(scaleFactor));
       // Adjustment based on the reevaluation frequency to provide more-or-less consistent behavior regardless of the reevaluation frequency.
       const hashValueDecreaseAmount = hashValueDecreaseAmountPriorToEvaluationFrequencyAdjustment / BigInt(difficultyEvaluationsPerMinute);

package/src/registration/provider-auth-plugin.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import { DwnServerError, DwnServerErrorCode } from '../dwn-error.js';
+/**
+ * Interface for validating provider auth registration tokens.
+ * DWN server operators implement this to integrate with their auth service.
+ *
+ * The token is intentionally opaque — it could be a JWT, blind RSA token,
+ * ecash token, or any other format. The plugin is responsible for all
+ * validation logic.
+ */
+export interface ProviderAuthPlugin {
+  /**
+   * Validate a registration token presented during DID registration.
+   *
+   * @param token - The opaque registration token from the client
+   * @returns Validation result with optional account metadata
+   */
+  validateRegistrationToken(token: string): Promise<ProviderAuthValidationResult>;
+}
+/**
+ * Result of validating a provider auth registration token.
+ */
+export type ProviderAuthValidationResult = {
+  /** Whether the token is valid and the registration should proceed. */
+  isValid : boolean;
+  /**
+   * Optional account identifier that this DID registration is associated with.
+   * Omit for privacy-preserving providers where DID-to-account correlation
+   * should not be stored.
+   */
+  accountId? : string;
+  /**
+   * Optional provider-defined metadata to store with the tenant registration.
+   * Can include plan details, quotas, or any other provider-specific data.
+   * Stored as JSON in the registeredTenants table.
+   */
+  metadata? : Record<string, unknown>;
+  /** Error detail message when isValid is false. */
+  detail? : string;
+};
+/**
+ * Load a ProviderAuthPlugin from a file path.
+ * The module must export a default class or object that implements ProviderAuthPlugin.
+ *
+ * Follows the same pattern as the existing PluginLoader.
+ */
+export async function loadProviderAuthPlugin(pluginPath: string): Promise<ProviderAuthPlugin> {
+  let module: any;
+  try {
+    module = await import(pluginPath);
+  } catch (error) {
+    throw new DwnServerError(
+      DwnServerErrorCode.ProviderAuthPluginLoadFailed,
+      `Failed to load provider auth plugin at ${pluginPath}: ${(error as Error).message}`,
+    );
+  }
+  const plugin = module.default;
+  if (plugin === undefined) {
+    throw new DwnServerError(
+      DwnServerErrorCode.ProviderAuthPluginLoadFailed,
+      `Provider auth plugin at ${pluginPath} does not have a default export.`,
+    );
+  }
+  // Support both class (instantiate) and plain object exports.
+  const instance: ProviderAuthPlugin = typeof plugin === 'function'
+    ? new plugin() as ProviderAuthPlugin
+    : plugin as ProviderAuthPlugin;
+  if (typeof instance.validateRegistrationToken !== 'function') {
+    throw new DwnServerError(
+      DwnServerErrorCode.ProviderAuthPluginLoadFailed,
+      `Provider auth plugin at ${pluginPath} does not implement validateRegistrationToken().`,
+    );
+  }
+  return instance;
+}