@forklaunch/core 0.10.4 → 0.11.1

package/lib/http/index.mjs

@@ -66,7 +66,47 @@ function isTypedHandler(maybeTypedHandler) {
 }
 
 // src/http/middleware/request/auth.middleware.ts
+import { isNever } from "@forklaunch/common";
 import { jwtVerify } from "jose";
+
+// src/http/discriminateAuthMethod.ts
+function discriminateAuthMethod(auth) {
+  if ("basic" in auth) {
+    return {
+      type: "basic",
+      auth: {
+        decodeResource: auth.decodeResource,
+        login: auth.basic.login
+      }
+    };
+  } else if ("jwt" in auth) {
+    return {
+      type: "jwt",
+      auth: {
+        decodeResource: auth.decodeResource
+      }
+    };
+  } else {
+    return {
+      type: "jwt",
+      auth: {
+        decodeResource: auth.decodeResource
+      }
+    };
+  }
+}
+
+// src/http/guards/hasPermissionChecks.ts
+function hasPermissionChecks(maybePermissionedAuth) {
+  return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && "mapPermissions" in maybePermissionedAuth && ("allowedPermissions" in maybePermissionedAuth || "forbiddenPermissions" in maybePermissionedAuth);
+}
+
+// src/http/guards/hasRoleChecks.ts
+function hasRoleChecks(maybeRoledAuth) {
+  return typeof maybeRoledAuth === "object" && maybeRoledAuth !== null && "mapRoles" in maybeRoledAuth && ("allowedRoles" in maybeRoledAuth || "forbiddenRoles" in maybeRoledAuth);
+}
+
+// src/http/middleware/request/auth.middleware.ts
 var invalidAuthorizationTokenFormat = [
   401,
   "Invalid Authorization token format."
@@ -97,51 +137,52 @@ async function checkAuthorizationToken(authorizationMethod, authorizationToken,
   }
   const [tokenPrefix, token] = authorizationToken.split(" ");
   let resourceId;
-  switch (authorizationMethod.method) {
+  const { type, auth } = discriminateAuthMethod(authorizationMethod);
+  switch (type) {
     case "jwt": {
-      if (tokenPrefix !== "Bearer") {
+      if (tokenPrefix !== (authorizationMethod.tokenPrefix ?? "Bearer")) {
         return invalidAuthorizationTokenFormat;
       }
       try {
-        const decodedJwt = await jwtVerify(
+        const decodedJwt = await auth?.decodeResource?.(token) ?? (await jwtVerify(
           token,
-          new TextEncoder().encode(
-            // TODO: Check this at application startup if there is any route with jwt checking
-            process.env.JWT_SECRET
-          )
-        );
-        if (!decodedJwt.payload.sub) {
+          new TextEncoder().encode(process.env.JWT_SECRET)
+        )).payload;
+        if (!decodedJwt) {
           return invalidAuthorizationSubject;
         }
-        resourceId = decodedJwt.payload.sub;
+        resourceId = decodedJwt;
       } catch (error) {
-        req.openTelemetryCollector.error(error);
+        req?.openTelemetryCollector.error(error);
         return invalidAuthorizationToken;
       }
       break;
     }
     case "basic": {
-      if (authorizationToken !== "Basic") {
-        return invalidAuthorizationTokenFormat;
-      }
-      const [username, password] = Buffer.from(token, "base64").toString("utf-8").split(":");
-      if (!username || !password) {
+      if (tokenPrefix !== (authorizationMethod.tokenPrefix ?? "Basic")) {
         return invalidAuthorizationTokenFormat;
       }
-      if (!authorizationMethod.login(username, password)) {
-        return invalidAuthorizationLogin;
+      if (auth.decodeResource) {
+        resourceId = await auth.decodeResource(token);
+      } else {
+        const [username, password] = Buffer.from(token, "base64").toString("utf-8").split(":");
+        if (!username || !password) {
+          return invalidAuthorizationTokenFormat;
+        }
+        if (!auth.login(username, password)) {
+          return invalidAuthorizationLogin;
+        }
+        resourceId = {
+          sub: username
+        };
       }
-      resourceId = username;
       break;
     }
-    case "other":
-      if (tokenPrefix !== authorizationMethod.tokenPrefix) {
-        return invalidAuthorizationTokenFormat;
-      }
-      resourceId = authorizationMethod.decodeResource(token);
-      break;
+    default:
+      isNever(type);
+      return [401, "Invalid Authorization method."];
   }
-  if (authorizationMethod.allowedPermissions || authorizationMethod.forbiddenPermissions) {
+  if (hasPermissionChecks(authorizationMethod)) {
     if (!authorizationMethod.mapPermissions) {
       return [500, "No permission mapping function provided."];
     }
@@ -149,49 +190,49 @@ async function checkAuthorizationToken(authorizationMethod, authorizationToken,
       resourceId,
       req
     );
-    if (authorizationMethod.allowedPermissions) {
+    if ("allowedPermissions" in authorizationMethod && authorizationMethod.allowedPermissions) {
       if (resourcePermissions.intersection(authorizationMethod.allowedPermissions).size === 0) {
         return invalidAuthorizationTokenPermissions;
       }
     }
-    if (authorizationMethod.forbiddenPermissions) {
+    if ("forbiddenPermissions" in authorizationMethod && authorizationMethod.forbiddenPermissions) {
       if (resourcePermissions.intersection(
         authorizationMethod.forbiddenPermissions
       ).size !== 0) {
         return invalidAuthorizationTokenPermissions;
       }
     }
-  }
-  if (authorizationMethod.allowedRoles || authorizationMethod.forbiddenRoles) {
+  } else if (hasRoleChecks(authorizationMethod)) {
     if (!authorizationMethod.mapRoles) {
       return [500, "No role mapping function provided."];
     }
     const resourceRoles = await authorizationMethod.mapRoles(resourceId, req);
-    if (authorizationMethod.allowedRoles) {
+    if ("allowedRoles" in authorizationMethod && authorizationMethod.allowedRoles) {
       if (resourceRoles.intersection(authorizationMethod.allowedRoles).size === 0) {
         return invalidAuthorizationTokenRoles;
       }
     }
-    if (authorizationMethod.forbiddenRoles) {
+    if ("forbiddenRoles" in authorizationMethod && authorizationMethod.forbiddenRoles) {
       if (resourceRoles.intersection(authorizationMethod.forbiddenRoles).size !== 0) {
         return invalidAuthorizationTokenRoles;
       }
     }
+  } else {
+    return [401, "Invalid Authorization method."];
   }
-  return [401, "Invalid Authorization method."];
 }
 async function parseRequestAuth(req, res, next) {
   const auth = req.contractDetails.auth;
   if (auth) {
     const [error, message] = await checkAuthorizationToken(
       auth,
-      req.headers[(auth.method === "other" ? auth.headerName : void 0) ?? "Authorization"],
+      req.headers[auth.headerName ?? "Authorization"] || req.headers[auth.headerName ?? "authorization"],
       req
     ) ?? [];
     if (error != null) {
       res.type("text/plain");
       res.status(error).send(message);
-      next?.(new Error(message));
+      return;
     }
   }
   next?.();
@@ -262,7 +303,7 @@ function isForklaunchRequest(request) {
 }
 
 // src/http/telemetry/pinoLogger.ts
-import { isNever, safeStringify } from "@forklaunch/common";
+import { isNever as isNever2, safeStringify } from "@forklaunch/common";
 import { trace as trace2 } from "@opentelemetry/api";
 import { logs } from "@opentelemetry/api-logs";
 import pino from "pino";
@@ -294,7 +335,7 @@ function mapSeverity(level) {
     case "fatal":
       return 21;
     default:
-      isNever(level);
+      isNever2(level);
       return 0;
   }
 }
@@ -540,7 +581,18 @@ function parse(req, res, next) {
       enumerable: true,
       configurable: false
     });
-    req.headers = parsedRequest.value.headers ?? {};
+    const parsedHeaders = parsedRequest.value.headers ?? {};
+    req.headers = Object.keys(req.headers).reduce(
+      (acc, key) => {
+        if (parsedHeaders?.[key]) {
+          acc[key] = parsedHeaders[key];
+        } else {
+          acc[key] = req.headers[key];
+        }
+        return acc;
+      },
+      {}
+    );
   }
   if (!parsedRequest.ok) {
     switch (req.contractDetails.options?.requestValidation) {
@@ -1457,6 +1509,11 @@ var trace3 = (_schemaValidator, path, contractDetails, ...handlers) => {
   return typedHandler(_schemaValidator, path, "trace", contractDetails, ...handlers);
 };
 
+// src/http/handlers/typedAuthHandler.ts
+function typedAuthHandler(_schemaValidator, _contractDetails, authHandler) {
+  return authHandler;
+}
+
 // src/http/httpStatusCodes.ts
 var HTTPStatuses = {
   /**
@@ -2441,8 +2498,8 @@ var getCodeForStatus = (status) => {
 var httpStatusCodes_default = HTTPStatuses;
 
 // src/http/mcpGenerator/mcpGenerator.ts
-import { isNever as isNever2, isRecord, safeStringify as safeStringify2 } from "@forklaunch/common";
-import { ZodSchemaValidator } from "@forklaunch/validator/zod";
+import { isNever as isNever3, isRecord, safeStringify as safeStringify2 } from "@forklaunch/common";
+import { string, ZodSchemaValidator } from "@forklaunch/validator/zod";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
 // src/http/router/unpackRouters.ts
@@ -2499,14 +2556,15 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, route
         ...route.contractDetails.params ? { params: schemaValidator.schemify(route.contractDetails.params) } : {},
         ...route.contractDetails.query ? { query: schemaValidator.schemify(route.contractDetails.query) } : {},
         ...route.contractDetails.requestHeaders ? {
-          headers: schemaValidator.schemify(
-            route.contractDetails.requestHeaders
-          )
+          headers: schemaValidator.schemify({
+            ...route.contractDetails.requestHeaders,
+            ...route.contractDetails.auth ? {
+              [route.contractDetails.auth.headerName ?? "authorization"]: string.startsWith(
+                route.contractDetails.auth.tokenPrefix ?? ("basic" in route.contractDetails.auth ? "Basic " : "Bearer ")
+              )
+            } : {}
+          })
         } : {}
-        // TODO: support auth
-        //   ...(route.contractDetails.auth
-        //     ? { auth: route.contractDetails.auth }
-        //     : {})
       };
       mcpServer.tool(
         route.contractDetails.name,
@@ -2568,7 +2626,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, route
                 break;
               }
               default: {
-                isNever2(discriminatedBody.parserType);
+                isNever3(discriminatedBody.parserType);
                 parsedBody = safeStringify2(body);
                 break;
               }
@@ -2718,7 +2776,7 @@ ${parseErrors.join("\n\n")}`
 // src/http/middleware/response/enrichExpressLikeSend.middleware.ts
 import {
   isAsyncGenerator,
-  isNever as isNever3,
+  isNever as isNever4,
   isNodeJsWriteableStream,
   isRecord as isRecord2,
   readableStreamToAsyncIterable,
@@ -2855,7 +2913,7 @@ ${res.locals.errorMessage}`;
           res.bodyData = data;
           break;
         default:
-          isNever3(parserType);
+          isNever4(parserType);
           res.bodyData = data;
           break;
       }
@@ -2901,7 +2959,7 @@ function transformBasePath(basePath) {
   }
   return `/${basePath}`;
 }
-function generateOpenApiDocument(protocol, host, port, tags, paths, otherServers) {
+function generateOpenApiDocument(protocol, host, port, tags, paths, securitySchemes, otherServers) {
   return {
     openapi: "3.1.0",
     info: {
@@ -2909,13 +2967,7 @@ function generateOpenApiDocument(protocol, host, port, tags, paths, otherServers
       version: process.env.VERSION || "1.0.0"
     },
     components: {
-      securitySchemes: {
-        bearer: {
-          type: "http",
-          scheme: "bearer",
-          bearerFormat: "JWT"
-        }
-      }
+      securitySchemes
     },
     tags,
     servers: [
@@ -2947,6 +2999,7 @@ function contentResolver(schemaValidator, body, contentType) {
 function generateSwaggerDocument(schemaValidator, protocol, host, port, routers, otherServers) {
   const tags = [];
   const paths = {};
+  const securitySchemes = {};
   unpackRouters(routers).forEach(({ fullPath, router, sdkPath }) => {
     const controllerName = transformBasePath(fullPath);
     tags.push({
@@ -3043,14 +3096,39 @@ function generateSwaggerDocument(schemaValidator, protocol, host, port, routers,
           description: httpStatusCodes_default[403],
           content: contentResolver(schemaValidator, schemaValidator.string)
         };
-        if (route.contractDetails.auth.method === "jwt") {
+        if ("basic" in route.contractDetails.auth) {
+          operationObject.security = [
+            {
+              basic: Array.from(
+                "allowedPermissions" in route.contractDetails.auth ? route.contractDetails.auth.allowedPermissions?.values() || [] : []
+              )
+            }
+          ];
+          securitySchemes["basic"] = {
+            type: "http",
+            scheme: "basic"
+          };
+        } else if (route.contractDetails.auth) {
           operationObject.security = [
             {
-              bearer: Array.from(
-                route.contractDetails.auth.allowedPermissions?.values() || []
+              [route.contractDetails.auth.headerName !== "Authorization" ? "bearer" : "apiKey"]: Array.from(
+                "allowedPermissions" in route.contractDetails.auth ? route.contractDetails.auth.allowedPermissions?.values() || [] : []
               )
             }
           ];
+          if (route.contractDetails.auth.headerName && route.contractDetails.auth.headerName !== "Authorization") {
+            securitySchemes[route.contractDetails.auth.headerName] = {
+              type: "apiKey",
+              in: "header",
+              name: route.contractDetails.auth.headerName
+            };
+          } else {
+            securitySchemes["Authorization"] = {
+              type: "http",
+              scheme: "bearer",
+              bearerFormat: "JWT"
+            };
+          }
         }
       }
       if (route.method !== "middleware") {
@@ -3064,6 +3142,7 @@ function generateSwaggerDocument(schemaValidator, protocol, host, port, routers,
     port,
     tags,
     paths,
+    securitySchemes,
     otherServers
   );
 }
@@ -3129,6 +3208,7 @@ export {
   put,
   recordMetric,
   trace3 as trace,
+  typedAuthHandler,
   typedHandler
 };
 //# sourceMappingURL=index.mjs.map