@enterprisestandard/react 0.0.5-beta.20260115.2 → 0.0.5-beta.20260115.4

package/dist/workload-server.d.ts

@@ -1,127 +0,0 @@
-import type { EnterpriseStandard } from '.';
-import type { TokenValidationResult } from './types/workload-schema';
-import type { WorkloadIdentity } from './workload';
-/**
- * Get the workload identity from an incoming request.
- * Returns undefined if no valid workload token is present.
- *
- * @param request - Request with Authorization header
- * @param config - Optional EnterpriseStandard configuration
- * @returns WorkloadIdentity or undefined
- *
- * @example
- * ```typescript
- * import { getWorkload } from '@enterprisestandard/react';
- *
- * export async function handler(request: Request) {
- *   const workload = await getWorkload(request);
- *
- *   if (!workload) {
- *     return new Response('Unauthorized', { status: 401 });
- *   }
- *
- *   console.log('Request from workload:', workload.workload_id);
- *   // ... process authenticated request
- * }
- * ```
- */
-export declare function getWorkload(request: Request, es?: EnterpriseStandard): Promise<WorkloadIdentity | undefined>;
-/**
- * Get an access token for the configured workload identity.
- *
- * @param scope - Optional OAuth2 scopes (space-delimited)
- * @param config - Optional EnterpriseStandard configuration
- * @returns Access token string
- *
- * @example
- * ```typescript
- * import { getWorkloadToken } from '@enterprisestandard/react/server';
- *
- * // Get token for API calls
- * const token = await getWorkloadToken('api:read api:write');
- *
- * // Use in outbound requests
- * const response = await fetch('https://api.example.com/data', {
- *   headers: { 'Authorization': `Bearer ${token}` },
- * });
- * ```
- */
-export declare function getWorkloadToken(scope?: string, es?: EnterpriseStandard): Promise<string>;
-/**
- * Validate a workload token from an incoming request.
- *
- * @param request - Request with Authorization header
- * @param config - Optional EnterpriseStandard configuration
- * @returns Token validation result
- *
- * @example
- * ```typescript
- * import { validateWorkloadToken } from '@enterprisestandard/react/server';
- *
- * export async function handler(request: Request) {
- *   const result = await validateWorkloadToken(request);
- *
- *   if (!result.valid) {
- *     return new Response(
- *       JSON.stringify({ error: result.error }),
- *       { status: 401 }
- *     );
- *   }
- *
- *   const workloadId = result.claims?.iss;
- *   // ... process authenticated request
- * }
- * ```
- */
-export declare function validateWorkloadToken(request: Request, es?: EnterpriseStandard): Promise<TokenValidationResult>;
-/**
- * Revoke a workload access token.
- *
- * @param token - The access token to revoke
- * @param config - Optional EnterpriseStandard configuration
- *
- * @example
- * ```typescript
- * import { revokeWorkloadToken } from '@enterprisestandard/react/server';
- *
- * // Revoke token when workload is decommissioned
- * await revokeWorkloadToken(accessToken);
- * ```
- */
-export declare function revokeWorkloadToken(token: string, es?: EnterpriseStandard): Promise<void>;
-/**
- * Framework-agnostic handler for workload authentication routes.
- *
- * The handler reads configuration (handler URLs, validation) directly from the
- * EnterpriseStandard instance, so no config parameter is needed.
- *
- * @param request - Incoming request
- * @param config - Optional ESConfig to specify which EnterpriseStandard instance to use
- * @returns Response
- *
- * @example
- * ```typescript
- * import { workloadHandler } from '@enterprisestandard/react/server';
- *
- * // TanStack Start example
- * export const Route = createFileRoute('/api/workload/$')({
- *   server: {
- *     handlers: ({ createHandlers }) =>
- *       createHandlers({
- *         GET: {
- *           handler: async ({ request }) => {
- *             return workloadHandler(request);
- *           },
- *         },
- *         POST: {
- *           handler: async ({ request }) => {
- *             return workloadHandler(request);
- *           },
- *         },
- *       }),
- *   },
- * });
- * ```
- */
-export declare function workloadHandler(request: Request, es?: EnterpriseStandard): Promise<Response>;
-//# sourceMappingURL=workload-server.d.ts.map

package/dist/workload-server.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"workload-server.d.ts","sourceRoot":"","sources":["../src/workload-server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,GAAG,CAAC;AAC5C,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAErE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAcnD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAMlH;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,CAI/F;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAarH;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAI/F;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAIlG"}

package/dist/workload-server.js

@@ -1,167 +0,0 @@
-import { getES } from './utils';
-/**
- * Returns a 503 response indicating that the SSO is unavailable
- */
-function unavailable(error) {
-    error = error ?? 'Workload authentication unavailable';
-    new Response(JSON.stringify({ error }), {
-        status: 503,
-        statusText: error,
-        headers: { 'Content-Type': 'application/json' },
-    });
-}
-/**
- * Get the workload identity from an incoming request.
- * Returns undefined if no valid workload token is present.
- *
- * @param request - Request with Authorization header
- * @param config - Optional EnterpriseStandard configuration
- * @returns WorkloadIdentity or undefined
- *
- * @example
- * ```typescript
- * import { getWorkload } from '@enterprisestandard/react';
- *
- * export async function handler(request: Request) {
- *   const workload = await getWorkload(request);
- *
- *   if (!workload) {
- *     return new Response('Unauthorized', { status: 401 });
- *   }
- *
- *   console.log('Request from workload:', workload.workload_id);
- *   // ... process authenticated request
- * }
- * ```
- */
-export async function getWorkload(request, es) {
-    const workloadAuth = getES(es)?.workload;
-    if (!workloadAuth) {
-        return undefined;
-    }
-    return workloadAuth.getWorkload(request);
-}
-/**
- * Get an access token for the configured workload identity.
- *
- * @param scope - Optional OAuth2 scopes (space-delimited)
- * @param config - Optional EnterpriseStandard configuration
- * @returns Access token string
- *
- * @example
- * ```typescript
- * import { getWorkloadToken } from '@enterprisestandard/react/server';
- *
- * // Get token for API calls
- * const token = await getWorkloadToken('api:read api:write');
- *
- * // Use in outbound requests
- * const response = await fetch('https://api.example.com/data', {
- *   headers: { 'Authorization': `Bearer ${token}` },
- * });
- * ```
- */
-export async function getWorkloadToken(scope, es) {
-    const workloadAuth = getES(es)?.workload;
-    if (!workloadAuth)
-        throw unavailable();
-    return workloadAuth.getToken(scope);
-}
-/**
- * Validate a workload token from an incoming request.
- *
- * @param request - Request with Authorization header
- * @param config - Optional EnterpriseStandard configuration
- * @returns Token validation result
- *
- * @example
- * ```typescript
- * import { validateWorkloadToken } from '@enterprisestandard/react/server';
- *
- * export async function handler(request: Request) {
- *   const result = await validateWorkloadToken(request);
- *
- *   if (!result.valid) {
- *     return new Response(
- *       JSON.stringify({ error: result.error }),
- *       { status: 401 }
- *     );
- *   }
- *
- *   const workloadId = result.claims?.iss;
- *   // ... process authenticated request
- * }
- * ```
- */
-export async function validateWorkloadToken(request, es) {
-    const workloadAuth = getES(es)?.workload;
-    if (!workloadAuth) {
-        return { valid: false, error: 'Workload authentication unavailable' };
-    }
-    const authHeader = request.headers.get('Authorization');
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-        return { valid: false, error: 'Missing or invalid Authorization header' };
-    }
-    const token = authHeader.substring(7);
-    return workloadAuth.validateToken(token);
-}
-/**
- * Revoke a workload access token.
- *
- * @param token - The access token to revoke
- * @param config - Optional EnterpriseStandard configuration
- *
- * @example
- * ```typescript
- * import { revokeWorkloadToken } from '@enterprisestandard/react/server';
- *
- * // Revoke token when workload is decommissioned
- * await revokeWorkloadToken(accessToken);
- * ```
- */
-export async function revokeWorkloadToken(token, es) {
-    const workloadAuth = getES(es)?.workload;
-    if (!workloadAuth)
-        throw unavailable();
-    return workloadAuth.revokeToken(token);
-}
-/**
- * Framework-agnostic handler for workload authentication routes.
- *
- * The handler reads configuration (handler URLs, validation) directly from the
- * EnterpriseStandard instance, so no config parameter is needed.
- *
- * @param request - Incoming request
- * @param config - Optional ESConfig to specify which EnterpriseStandard instance to use
- * @returns Response
- *
- * @example
- * ```typescript
- * import { workloadHandler } from '@enterprisestandard/react/server';
- *
- * // TanStack Start example
- * export const Route = createFileRoute('/api/workload/$')({
- *   server: {
- *     handlers: ({ createHandlers }) =>
- *       createHandlers({
- *         GET: {
- *           handler: async ({ request }) => {
- *             return workloadHandler(request);
- *           },
- *         },
- *         POST: {
- *           handler: async ({ request }) => {
- *             return workloadHandler(request);
- *           },
- *         },
- *       }),
- *   },
- * });
- * ```
- */
-export async function workloadHandler(request, es) {
-    const workloadAuth = getES(es)?.workload;
-    if (!workloadAuth)
-        throw unavailable();
-    return workloadAuth.handler(request);
-}

package/dist/workload-token-store.d.ts

@@ -1,187 +0,0 @@
-/**
- * Token caching for workload identity authentication.
- *
- * Token stores are optional but recommended for performance - they enable:
- * - Token caching to avoid repeated token acquisition
- * - Automatic token refresh before expiration
- * - Reduced load on authorization servers
- *
- * ## Token Caching Strategy
- *
- * Unlike session stores for user authentication, workload token stores cache
- * short-lived access tokens (typically 5 minutes) for service-to-service calls.
- *
- * **Default Behavior:**
- * - Tokens cached with 5-minute TTL
- * - Auto-refresh 60 seconds before expiration
- * - Expired tokens automatically removed
- *
- * ## Performance Characteristics
- *
- * | Backend      | Lookup Time | Use Case                    |
- * |--------------|-------------|----------------------------|
- * | InMemory     | <0.00005ms  | Single-server deployments  |
- * | Redis        | 1-2ms       | Multi-server deployments   |
- * | Database     | 5-20ms      | Persistent token storage   |
- *
- * ## Example Usage
- *
- * ```typescript
- * import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
- *
- * // With token caching
- * const workloadAuth = workload({
- *   // ... other config
- *   token_store: new InMemoryWorkloadTokenStore(),
- *   auto_refresh: true,  // Refresh before expiry
- * });
- *
- * // Without token caching (fetch new token each time)
- * const workloadAuth = workload({
- *   // ... config without token_store
- * });
- * ```
- */
-/**
- * Cached workload token data.
- *
- * @template TExtended - Type-safe custom data that consumers can add to cached tokens
- */
-export type CachedWorkloadToken<TExtended = object> = {
-    /**
-     * Workload identifier (typically SPIFFE ID).
-     * Used as the primary key for token lookup.
-     */
-    workload_id: string;
-    /**
-     * OAuth2 access token (Bearer token)
-     */
-    access_token: string;
-    /**
-     * Token type (always "Bearer" for OAuth2)
-     */
-    token_type: string;
-    /**
-     * OAuth2 scopes granted for this token
-     */
-    scope?: string;
-    /**
-     * Timestamp when the token expires.
-     * Used for automatic cleanup and refresh logic.
-     */
-    expires_at: Date;
-    /**
-     * Timestamp when the token was created/cached.
-     */
-    created_at: Date;
-    /**
-     * Optional refresh token (rarely used for workload identities)
-     */
-    refresh_token?: string;
-} & TExtended;
-/**
- * Abstract interface for workload token storage backends.
- *
- * Consumers can implement this interface to use different storage backends:
- * - Redis (recommended for multi-server deployments)
- * - Database (PostgreSQL, MySQL, etc. for persistence)
- * - Distributed cache (Memcached, etc.)
- * - Custom solutions
- *
- * @template TExtended - Type-safe custom data that consumers can add to cached tokens
- *
- * @example
- * ```typescript
- * // Custom token cache data
- * type MyTokenData = {
- *   environment: string;
- *   region: string;
- * };
- *
- * // Implement custom store with Redis
- * class RedisWorkloadTokenStore implements WorkloadTokenStore<MyTokenData> {
- *   async set(token: CachedWorkloadToken<MyTokenData>): Promise<void> {
- *     const ttl = Math.floor((token.expires_at.getTime() - Date.now()) / 1000);
- *     await redis.setex(
- *       `workload:token:${token.workload_id}`,
- *       ttl,
- *       JSON.stringify(token)
- *     );
- *   }
- *
- *   async get(workload_id: string): Promise<CachedWorkloadToken<MyTokenData> | null> {
- *     const data = await redis.get(`workload:token:${workload_id}`);
- *     if (!data) return null;
- *     const token = JSON.parse(data);
- *     // Convert date strings back to Date objects
- *     token.expires_at = new Date(token.expires_at);
- *     token.created_at = new Date(token.created_at);
- *     return token;
- *   }
- *
- *   // ... other methods
- * }
- * ```
- */
-export interface WorkloadTokenStore<TExtended = object> {
-    /**
-     * Store or update a workload token in the cache.
-     *
-     * @param token - The token data to cache
-     */
-    set(token: CachedWorkloadToken<TExtended>): Promise<void>;
-    /**
-     * Retrieve a cached token by workload ID.
-     *
-     * @param workload_id - The workload identifier (e.g., SPIFFE ID)
-     * @returns The cached token if found and not expired, null otherwise
-     */
-    get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
-    /**
-     * Delete a cached token by workload ID.
-     *
-     * Used when explicitly revoking tokens or clearing cache.
-     *
-     * @param workload_id - The workload identifier to remove
-     */
-    delete(workload_id: string): Promise<void>;
-    /**
-     * Check if a valid (non-expired) token exists for a workload.
-     *
-     * @param workload_id - The workload identifier to check
-     * @returns true if a valid token exists, false otherwise
-     */
-    isValid(workload_id: string): Promise<boolean>;
-    /**
-     * Remove all expired tokens from the cache.
-     *
-     * Should be called periodically to prevent memory leaks.
-     */
-    cleanup(): Promise<void>;
-}
-/**
- * In-memory workload token store implementation using Maps.
- *
- * Suitable for:
- * - Development and testing
- * - Single-server deployments
- * - Applications without high availability requirements
- *
- * NOT suitable for:
- * - Multi-server deployments (tokens not shared across instances)
- * - High availability scenarios (tokens lost on restart)
- * - Production applications with distributed architecture
- *
- * For production multi-server deployments, implement WorkloadTokenStore with Redis.
- *
- * @template TExtended - Type-safe custom data that consumers can add to cached tokens
- */
-export declare class InMemoryWorkloadTokenStore<TExtended = object> implements WorkloadTokenStore<TExtended> {
-    private tokens;
-    set(token: CachedWorkloadToken<TExtended>): Promise<void>;
-    get(workload_id: string): Promise<CachedWorkloadToken<TExtended> | null>;
-    delete(workload_id: string): Promise<void>;
-    isValid(workload_id: string): Promise<boolean>;
-    cleanup(): Promise<void>;
-}
-//# sourceMappingURL=workload-token-store.d.ts.map

package/dist/workload-token-store.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"workload-token-store.d.ts","sourceRoot":"","sources":["../src/workload-token-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,CAAC,SAAS,GAAG,MAAM,IAAI;IACpD;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,UAAU,EAAE,IAAI,CAAC;IAEjB;;OAEG;IACH,UAAU,EAAE,IAAI,CAAC;IAEjB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,SAAS,CAAC;AAEd;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,MAAM,WAAW,kBAAkB,CAAC,SAAS,GAAG,MAAM;IACpD;;;;OAIG;IACH,GAAG,CAAC,KAAK,EAAE,mBAAmB,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;;;;OAKG;IACH,GAAG,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAEzE;;;;;;OAMG;IACH,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE/C;;;;OAIG;IACH,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,0BAA0B,CAAC,SAAS,GAAG,MAAM,CAAE,YAAW,kBAAkB,CAAC,SAAS,CAAC;IAClG,OAAO,CAAC,MAAM,CAAqD;IAE7D,GAAG,CAAC,KAAK,EAAE,mBAAmB,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,GAAG,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAaxE,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1C,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ/B"}

package/dist/workload-token-store.js

@@ -1,95 +0,0 @@
-/**
- * Token caching for workload identity authentication.
- *
- * Token stores are optional but recommended for performance - they enable:
- * - Token caching to avoid repeated token acquisition
- * - Automatic token refresh before expiration
- * - Reduced load on authorization servers
- *
- * ## Token Caching Strategy
- *
- * Unlike session stores for user authentication, workload token stores cache
- * short-lived access tokens (typically 5 minutes) for service-to-service calls.
- *
- * **Default Behavior:**
- * - Tokens cached with 5-minute TTL
- * - Auto-refresh 60 seconds before expiration
- * - Expired tokens automatically removed
- *
- * ## Performance Characteristics
- *
- * | Backend      | Lookup Time | Use Case                    |
- * |--------------|-------------|----------------------------|
- * | InMemory     | <0.00005ms  | Single-server deployments  |
- * | Redis        | 1-2ms       | Multi-server deployments   |
- * | Database     | 5-20ms      | Persistent token storage   |
- *
- * ## Example Usage
- *
- * ```typescript
- * import { workload, InMemoryWorkloadTokenStore } from '@enterprisestandard/react/server';
- *
- * // With token caching
- * const workloadAuth = workload({
- *   // ... other config
- *   token_store: new InMemoryWorkloadTokenStore(),
- *   auto_refresh: true,  // Refresh before expiry
- * });
- *
- * // Without token caching (fetch new token each time)
- * const workloadAuth = workload({
- *   // ... config without token_store
- * });
- * ```
- */
-/**
- * In-memory workload token store implementation using Maps.
- *
- * Suitable for:
- * - Development and testing
- * - Single-server deployments
- * - Applications without high availability requirements
- *
- * NOT suitable for:
- * - Multi-server deployments (tokens not shared across instances)
- * - High availability scenarios (tokens lost on restart)
- * - Production applications with distributed architecture
- *
- * For production multi-server deployments, implement WorkloadTokenStore with Redis.
- *
- * @template TExtended - Type-safe custom data that consumers can add to cached tokens
- */
-export class InMemoryWorkloadTokenStore {
-    constructor() {
-        this.tokens = new Map();
-    }
-    async set(token) {
-        this.tokens.set(token.workload_id, token);
-    }
-    async get(workload_id) {
-        const token = this.tokens.get(workload_id);
-        if (!token)
-            return null;
-        // Check if token is expired
-        if (Date.now() > token.expires_at.getTime()) {
-            this.tokens.delete(workload_id);
-            return null;
-        }
-        return token;
-    }
-    async delete(workload_id) {
-        this.tokens.delete(workload_id);
-    }
-    async isValid(workload_id) {
-        const token = await this.get(workload_id);
-        return token !== null;
-    }
-    async cleanup() {
-        const now = Date.now();
-        for (const [workload_id, token] of this.tokens.entries()) {
-            if (now > token.expires_at.getTime()) {
-                this.tokens.delete(workload_id);
-            }
-        }
-    }
-}