npm - @forklaunch/core - Versions diffs - 0.10.4 → 0.11.0 - Mend

@forklaunch/core 0.10.4 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/http/index.mjs CHANGED Viewed

@@ -66,7 +66,39 @@ function isTypedHandler(maybeTypedHandler) {
 }
 // src/http/middleware/request/auth.middleware.ts
+import { isNever } from "@forklaunch/common";
 import { jwtVerify } from "jose";
+// src/http/discriminateAuthMethod.ts
+function discriminateAuthMethod(auth) {
+  if ("basic" in auth) {
+    return {
+      type: "basic",
+      auth: auth.basic
+    };
+  } else if ("jwt" in auth) {
+    return {
+      type: "jwt",
+      auth: auth.jwt
+    };
+  } else {
+    return {
+      type: "jwt"
+    };
+  }
+}
+// src/http/guards/hasPermissionChecks.ts
+function hasPermissionChecks(maybePermissionedAuth) {
+  return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && "mapPermissions" in maybePermissionedAuth && ("allowedPermissions" in maybePermissionedAuth || "forbiddenPermissions" in maybePermissionedAuth);
+}
+// src/http/guards/hasRoleChecks.ts
+function hasRoleChecks(maybeRoledAuth) {
+  return typeof maybeRoledAuth === "object" && maybeRoledAuth !== null && "mapRoles" in maybeRoledAuth && ("allowedRoles" in maybeRoledAuth || "forbiddenRoles" in maybeRoledAuth);
+}
+// src/http/middleware/request/auth.middleware.ts
 var invalidAuthorizationTokenFormat = [
   401,
   "Invalid Authorization token format."
@@ -97,18 +129,16 @@ async function checkAuthorizationToken(authorizationMethod, authorizationToken,
   }
   const [tokenPrefix, token] = authorizationToken.split(" ");
   let resourceId;
-  switch (authorizationMethod.method) {
+  const { type, auth } = discriminateAuthMethod(authorizationMethod);
+  switch (type) {
     case "jwt": {
-      if (tokenPrefix !== "Bearer") {
+      if (tokenPrefix !== (authorizationMethod.tokenPrefix ?? "Bearer")) {
         return invalidAuthorizationTokenFormat;
       }
       try {
         const decodedJwt = await jwtVerify(
           token,
-          new TextEncoder().encode(
-            // TODO: Check this at application startup if there is any route with jwt checking
-            process.env.JWT_SECRET
-          )
+          new TextEncoder().encode(process.env.JWT_SECRET)
         );
         if (!decodedJwt.payload.sub) {
           return invalidAuthorizationSubject;
@@ -121,27 +151,24 @@ async function checkAuthorizationToken(authorizationMethod, authorizationToken,
       break;
     }
     case "basic": {
-      if (authorizationToken !== "Basic") {
+      if (authorizationToken !== (authorizationMethod.tokenPrefix ?? "Basic")) {
         return invalidAuthorizationTokenFormat;
       }
       const [username, password] = Buffer.from(token, "base64").toString("utf-8").split(":");
       if (!username || !password) {
         return invalidAuthorizationTokenFormat;
       }
-      if (!authorizationMethod.login(username, password)) {
+      if (!auth.login(username, password)) {
         return invalidAuthorizationLogin;
       }
       resourceId = username;
       break;
     }
-    case "other":
-      if (tokenPrefix !== authorizationMethod.tokenPrefix) {
-        return invalidAuthorizationTokenFormat;
-      }
-      resourceId = authorizationMethod.decodeResource(token);
-      break;
+    default:
+      isNever(type);
+      return [401, "Invalid Authorization method."];
   }
-  if (authorizationMethod.allowedPermissions || authorizationMethod.forbiddenPermissions) {
+  if (hasPermissionChecks(authorizationMethod)) {
     if (!authorizationMethod.mapPermissions) {
       return [500, "No permission mapping function provided."];
     }
@@ -149,49 +176,49 @@ async function checkAuthorizationToken(authorizationMethod, authorizationToken,
       resourceId,
       req
     );
-    if (authorizationMethod.allowedPermissions) {
+    if ("allowedPermissions" in authorizationMethod && authorizationMethod.allowedPermissions) {
       if (resourcePermissions.intersection(authorizationMethod.allowedPermissions).size === 0) {
         return invalidAuthorizationTokenPermissions;
       }
     }
-    if (authorizationMethod.forbiddenPermissions) {
+    if ("forbiddenPermissions" in authorizationMethod && authorizationMethod.forbiddenPermissions) {
       if (resourcePermissions.intersection(
         authorizationMethod.forbiddenPermissions
       ).size !== 0) {
         return invalidAuthorizationTokenPermissions;
       }
     }
-  }
-  if (authorizationMethod.allowedRoles || authorizationMethod.forbiddenRoles) {
+  } else if (hasRoleChecks(authorizationMethod)) {
     if (!authorizationMethod.mapRoles) {
       return [500, "No role mapping function provided."];
     }
     const resourceRoles = await authorizationMethod.mapRoles(resourceId, req);
-    if (authorizationMethod.allowedRoles) {
+    if ("allowedRoles" in authorizationMethod && authorizationMethod.allowedRoles) {
       if (resourceRoles.intersection(authorizationMethod.allowedRoles).size === 0) {
         return invalidAuthorizationTokenRoles;
       }
     }
-    if (authorizationMethod.forbiddenRoles) {
+    if ("forbiddenRoles" in authorizationMethod && authorizationMethod.forbiddenRoles) {
       if (resourceRoles.intersection(authorizationMethod.forbiddenRoles).size !== 0) {
         return invalidAuthorizationTokenRoles;
       }
     }
+  } else {
+    return [401, "Invalid Authorization method."];
   }
-  return [401, "Invalid Authorization method."];
 }
 async function parseRequestAuth(req, res, next) {
   const auth = req.contractDetails.auth;
   if (auth) {
     const [error, message] = await checkAuthorizationToken(
       auth,
-      req.headers[(auth.method === "other" ? auth.headerName : void 0) ?? "Authorization"],
+      req.headers[auth.headerName ?? "Authorization"] || req.headers[auth.headerName ?? "authorization"],
       req
     ) ?? [];
     if (error != null) {
       res.type("text/plain");
       res.status(error).send(message);
-      next?.(new Error(message));
+      return;
     }
   }
   next?.();
@@ -262,7 +289,7 @@ function isForklaunchRequest(request) {
 }
 // src/http/telemetry/pinoLogger.ts
-import { isNever, safeStringify } from "@forklaunch/common";
+import { isNever as isNever2, safeStringify } from "@forklaunch/common";
 import { trace as trace2 } from "@opentelemetry/api";
 import { logs } from "@opentelemetry/api-logs";
 import pino from "pino";
@@ -294,7 +321,7 @@ function mapSeverity(level) {
     case "fatal":
       return 21;
     default:
-      isNever(level);
+      isNever2(level);
       return 0;
   }
 }
@@ -1457,6 +1484,11 @@ var trace3 = (_schemaValidator, path, contractDetails, ...handlers) => {
   return typedHandler(_schemaValidator, path, "trace", contractDetails, ...handlers);
 };
+// src/http/handlers/typedAuthHandler.ts
+function typedAuthHandler(_schemaValidator, _contractDetails, authHandler) {
+  return authHandler;
+}
 // src/http/httpStatusCodes.ts
 var HTTPStatuses = {
   /**
@@ -2441,8 +2473,8 @@ var getCodeForStatus = (status) => {
 var httpStatusCodes_default = HTTPStatuses;
 // src/http/mcpGenerator/mcpGenerator.ts
-import { isNever as isNever2, isRecord, safeStringify as safeStringify2 } from "@forklaunch/common";
-import { ZodSchemaValidator } from "@forklaunch/validator/zod";
+import { isNever as isNever3, isRecord, safeStringify as safeStringify2 } from "@forklaunch/common";
+import { string, ZodSchemaValidator } from "@forklaunch/validator/zod";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 // src/http/router/unpackRouters.ts
@@ -2499,14 +2531,15 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, route
         ...route.contractDetails.params ? { params: schemaValidator.schemify(route.contractDetails.params) } : {},
         ...route.contractDetails.query ? { query: schemaValidator.schemify(route.contractDetails.query) } : {},
         ...route.contractDetails.requestHeaders ? {
-          headers: schemaValidator.schemify(
-            route.contractDetails.requestHeaders
-          )
+          headers: schemaValidator.schemify({
+            ...route.contractDetails.requestHeaders,
+            ...route.contractDetails.auth ? {
+              [route.contractDetails.auth.headerName ?? "authorization"]: string.startsWith(
+                route.contractDetails.auth.tokenPrefix ?? ("basic" in route.contractDetails.auth ? "Basic " : "Bearer ")
+              )
+            } : {}
+          })
         } : {}
-        // TODO: support auth
-        //   ...(route.contractDetails.auth
-        //     ? { auth: route.contractDetails.auth }
-        //     : {})
       };
       mcpServer.tool(
         route.contractDetails.name,
@@ -2568,7 +2601,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, route
                 break;
               }
               default: {
-                isNever2(discriminatedBody.parserType);
+                isNever3(discriminatedBody.parserType);
                 parsedBody = safeStringify2(body);
                 break;
               }
@@ -2718,7 +2751,7 @@ ${parseErrors.join("\n\n")}`
 // src/http/middleware/response/enrichExpressLikeSend.middleware.ts
 import {
   isAsyncGenerator,
-  isNever as isNever3,
+  isNever as isNever4,
   isNodeJsWriteableStream,
   isRecord as isRecord2,
   readableStreamToAsyncIterable,
@@ -2855,7 +2888,7 @@ ${res.locals.errorMessage}`;
           res.bodyData = data;
           break;
         default:
-          isNever3(parserType);
+          isNever4(parserType);
           res.bodyData = data;
           break;
       }
@@ -2901,7 +2934,7 @@ function transformBasePath(basePath) {
   }
   return `/${basePath}`;
 }
-function generateOpenApiDocument(protocol, host, port, tags, paths, otherServers) {
+function generateOpenApiDocument(protocol, host, port, tags, paths, securitySchemes, otherServers) {
   return {
     openapi: "3.1.0",
     info: {
@@ -2909,13 +2942,7 @@ function generateOpenApiDocument(protocol, host, port, tags, paths, otherServers
       version: process.env.VERSION || "1.0.0"
     },
     components: {
-      securitySchemes: {
-        bearer: {
-          type: "http",
-          scheme: "bearer",
-          bearerFormat: "JWT"
-        }
-      }
+      securitySchemes
     },
     tags,
     servers: [
@@ -2947,6 +2974,7 @@ function contentResolver(schemaValidator, body, contentType) {
 function generateSwaggerDocument(schemaValidator, protocol, host, port, routers, otherServers) {
   const tags = [];
   const paths = {};
+  const securitySchemes = {};
   unpackRouters(routers).forEach(({ fullPath, router, sdkPath }) => {
     const controllerName = transformBasePath(fullPath);
     tags.push({
@@ -3043,14 +3071,39 @@ function generateSwaggerDocument(schemaValidator, protocol, host, port, routers,
           description: httpStatusCodes_default[403],
           content: contentResolver(schemaValidator, schemaValidator.string)
         };
-        if (route.contractDetails.auth.method === "jwt") {
+        if ("basic" in route.contractDetails.auth) {
           operationObject.security = [
             {
-              bearer: Array.from(
-                route.contractDetails.auth.allowedPermissions?.values() || []
+              basic: Array.from(
+                "allowedPermissions" in route.contractDetails.auth ? route.contractDetails.auth.allowedPermissions?.values() || [] : []
               )
             }
           ];
+          securitySchemes["basic"] = {
+            type: "http",
+            scheme: "basic"
+          };
+        } else if (route.contractDetails.auth) {
+          operationObject.security = [
+            {
+              [route.contractDetails.auth.headerName !== "Authorization" ? "bearer" : "apiKey"]: Array.from(
+                "allowedPermissions" in route.contractDetails.auth ? route.contractDetails.auth.allowedPermissions?.values() || [] : []
+              )
+            }
+          ];
+          if (route.contractDetails.auth.headerName && route.contractDetails.auth.headerName !== "Authorization") {
+            securitySchemes[route.contractDetails.auth.headerName] = {
+              type: "apiKey",
+              in: "header",
+              name: route.contractDetails.auth.headerName
+            };
+          } else {
+            securitySchemes["Authorization"] = {
+              type: "http",
+              scheme: "bearer",
+              bearerFormat: "JWT"
+            };
+          }
         }
       }
       if (route.method !== "middleware") {
@@ -3064,6 +3117,7 @@ function generateSwaggerDocument(schemaValidator, protocol, host, port, routers,
     port,
     tags,
     paths,
+    securitySchemes,
     otherServers
   );
 }
@@ -3129,6 +3183,7 @@ export {
   put,
   recordMetric,
   trace3 as trace,
+  typedAuthHandler,
   typedHandler
 };
 //# sourceMappingURL=index.mjs.map