@enterprisestandard/react 0.0.5-beta.20260115.3 → 0.0.5-beta.20260115.4

package/dist/workload.d.ts

@@ -1,227 +0,0 @@
-import type { EnterpriseStandard } from '.';
-import type { StandardSchemaV1 } from './types/standard-schema';
-import type { JWTAssertionClaims, TokenValidationResult, WorkloadTokenResponse } from './types/workload-schema';
-import { type WorkloadTokenStore } from './workload-token-store';
-/**
- * Common fields shared across all workload authentication modes
- */
-type WorkloadConfigBase = {
-    /**
-     * OAuth2 token endpoint URL
-     * REQUIRED for client role (token acquisition)
-     */
-    token_url?: string;
-    /**
-     * JWKS endpoint URL for public key retrieval
-     * REQUIRED for server role (token validation)
-     */
-    jwks_uri?: string;
-    /**
-     * Expected token issuer URL for validation
-     * RECOMMENDED for server role (token validation)
-     */
-    issuer?: string;
-    /**
-     * Target audience for tokens
-     */
-    audience?: string;
-    /**
-     * Default OAuth2 scopes (space-delimited)
-     */
-    scope?: string;
-    /**
-     * JWT assertion/token lifetime in seconds
-     * @default 300 (5 minutes)
-     */
-    token_lifetime?: number;
-    /**
-     * Refresh threshold in seconds (refresh token this many seconds before expiry)
-     * @default 60
-     */
-    refresh_threshold?: number;
-    /**
-     * Optional token store for caching access tokens
-     */
-    token_store?: WorkloadTokenStore;
-    /**
-     * Automatically refresh tokens before expiration
-     * @default true
-     */
-    auto_refresh?: boolean;
-    /**
-     * Optional RFC 7009 token revocation endpoint
-     */
-    revocation_endpoint?: string;
-    /**
-     * Optional handler defaults (merged with per-call overrides in `handler`)
-     */
-    tokenUrl?: string;
-    validateUrl?: string;
-    jwksUrl?: string;
-    refreshUrl?: string;
-    validation?: {
-        jwtAssertionClaims?: StandardSchemaV1<unknown, JWTAssertionClaims>;
-        tokenResponse?: StandardSchemaV1<unknown, WorkloadTokenResponse>;
-    };
-};
-/**
- * JWT Bearer Grant (RFC 7523) Configuration
- *
- * Used for SPIFFE-style workload identities where services have their own
- * cryptographic identity and sign their own JWT assertions.
- *
- * @example
- * ```json
- * {
- *   "token_url": "https://auth.example.com/oauth/token",
- *   "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
- *   "workload_id": "spiffe://trust-domain/ns/service",
- *   "audience": "https://auth.example.com/oauth/token",
- *   "private_key": "-----BEGIN PRIVATE KEY-----...",
- *   "algorithm": "RS256"
- * }
- * ```
- */
-export type JwtBearerWorkloadConfig = WorkloadConfigBase & {
-    /**
-     * Workload identifier (e.g., SPIFFE ID: spiffe://trust-domain/namespace/service)
-     * REQUIRED for JWT Bearer Grant mode
-     */
-    workload_id?: string;
-    /**
-     * PEM-encoded private key for signing JWT assertions
-     * REQUIRED for client role in JWT Bearer Grant mode
-     */
-    private_key?: string;
-    /**
-     * Key ID (kid) to include in JWT header for key rotation support
-     */
-    key_id?: string;
-    /**
-     * JWT signing algorithm
-     * @default 'RS256'
-     */
-    algorithm?: 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512';
-};
-/**
- * OAuth2 Client Credentials Configuration
- *
- * Standard OAuth2 Client Credentials Grant (RFC 6749 Section 4.4).
- * Used with identity providers like Keycloak for service-to-service authentication.
- *
- * @example
- * ```json
- * {
- *   "token_url": "https://sso.example.com/realms/myrealm/protocol/openid-connect/token",
- *   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
- *   "client_id": "my-service",
- *   "client_secret": "secret-from-idp",
- *   "issuer": "https://sso.example.com/realms/myrealm",
- *   "scope": "api:read api:write"
- * }
- * ```
- */
-export type ClientCredentialsWorkloadConfig = WorkloadConfigBase & {
-    /**
-     * OAuth2 client identifier registered with the authorization server
-     * REQUIRED for Client Credentials mode
-     */
-    client_id?: string;
-    /**
-     * OAuth2 client secret
-     * REQUIRED for Client Credentials mode
-     */
-    client_secret?: string;
-};
-/**
- * Server-Only Workload Configuration
- *
- * Used when a service only needs to validate incoming workload tokens,
- * not acquire tokens for outbound calls. Requires only jwks_uri for
- * public key retrieval.
- *
- * @example
- * ```json
- * {
- *   "jwks_uri": "https://sso.example.com/realms/myrealm/protocol/openid-connect/certs",
- *   "issuer": "https://sso.example.com/realms/myrealm"
- * }
- * ```
- */
-export type ServerOnlyWorkloadConfig = WorkloadConfigBase;
-/**
- * Workload Identity Authentication Configuration
- *
- * Union type supporting multiple authentication modes. The mode is automatically
- * detected based on which fields are present:
- *
- * - **JWT Bearer Grant**: Requires `workload_id` + `private_key`
- * - **Client Credentials**: Requires `client_id` + `client_secret`
- * - **Server-Only**: Only `jwks_uri` (and optionally `issuer`) for token validation
- *
- * The developer uses the same API regardless of mode - the library handles the details.
- */
-export type WorkloadConfig = JwtBearerWorkloadConfig | ClientCredentialsWorkloadConfig | ServerOnlyWorkloadConfig;
-export type ESConfig = {
-    es?: EnterpriseStandard;
-};
-/**
- * Workload Identity extracted from validated tokens
- */
-export type WorkloadIdentity = {
-    /**
-     * Workload identifier (for JWT Bearer Grant tokens)
-     */
-    workload_id?: string;
-    /**
-     * Client identifier (for OAuth2 Client Credentials tokens)
-     */
-    client_id?: string;
-    /**
-     * Granted scopes
-     */
-    scope?: string;
-    /**
-     * Full JWT claims from the token
-     */
-    claims: JWTAssertionClaims;
-};
-/**
- * Workload Identity Authentication Interface
- */
-export type Workload = WorkloadConfig & {
-    getToken: (scope?: string) => Promise<string>;
-    refreshToken: () => Promise<WorkloadTokenResponse>;
-    generateJWTAssertion: (scope?: string) => Promise<string>;
-    revokeToken: (token: string) => Promise<void>;
-    validateToken: (token: string, validation?: WorkloadConfig['validation']) => Promise<TokenValidationResult>;
-    getWorkload: (request: Request) => Promise<WorkloadIdentity | undefined>;
-    parseJWT: (token: string, validation?: WorkloadConfig['validation']) => Promise<JWTAssertionClaims>;
-    handler: (request: Request) => Promise<Response>;
-};
-/**
- * Create a workload identity authentication instance
- *
- * @param config - Workload authentication configuration
- * @returns Workload authentication interface
- *
- * @example
- * ```typescript
- * import { workload } from '@enterprisestandard/react';
- *
- * const workloadAuth = workload({
- *   token_url: 'https://auth.example.com/oauth/token',
- *   jwks_uri: 'https://auth.example.com/.well-known/jwks.json',
- *   workload_id: 'spiffe://trust-domain/ns/service',
- *   audience: 'https://auth.example.com/oauth/token',
- *   private_key: '-----BEGIN PRIVATE KEY-----...',
- *   algorithm: 'RS256',
- * });
- *
- * // Get access token
- * const token = await workloadAuth.getToken('api:read api:write');
- * ```
- */
-export declare function workload(config?: WorkloadConfig): Workload;
-export {};
-//# sourceMappingURL=workload.d.ts.map

package/dist/workload.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"workload.d.ts","sourceRoot":"","sources":["../src/workload.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,GAAG,CAAC;AAC5C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAGhH,OAAO,EAA8B,KAAK,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAE7F;;GAEG;AACH,KAAK,kBAAkB,GAAG;IACxB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,WAAW,CAAC,EAAE,kBAAkB,CAAC;IAEjC;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE;QACX,kBAAkB,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACnE,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;KAClE,CAAC;CACH,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,MAAM,uBAAuB,GAAG,kBAAkB,GAAG;IACzD;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CACvE,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,MAAM,+BAA+B,GAAG,kBAAkB,GAAG;IACjE;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,wBAAwB,GAAG,kBAAkB,CAAC;AAE1D;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,cAAc,GAAG,uBAAuB,GAAG,+BAA+B,GAAG,wBAAwB,CAAC;AA2BlH,MAAM,MAAM,QAAQ,GAAG;IACrB,EAAE,CAAC,EAAE,kBAAkB,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,MAAM,EAAE,kBAAkB,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,QAAQ,GAAG,cAAc,GAAG;IAEtC,QAAQ,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9C,YAAY,EAAE,MAAM,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACnD,oBAAoB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1D,WAAW,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAG9C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,cAAc,CAAC,YAAY,CAAC,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC5G,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAAC;IACzE,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,cAAc,CAAC,YAAY,CAAC,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAGpG,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAClD,CAAC;AA6DF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,QAAQ,CAAC,MAAM,CAAC,EAAE,cAAc,GAAG,QAAQ,CAiuB1D"}