@forklaunch/core 0.13.1 → 0.13.3

package/lib/http/index.js

@@ -159,22 +159,44 @@ function isTypedHandler(maybeTypedHandler) {
 var import_common2 = require("@forklaunch/common");
 
 // src/http/discriminateAuthMethod.ts
+var import_crypto = require("crypto");
 var import_jose = require("jose");
+
+// src/http/guards/isBasicAuthMethod.ts
+function isBasicAuthMethod(maybeBasicAuthMethod) {
+  return typeof maybeBasicAuthMethod === "object" && maybeBasicAuthMethod !== null && "basic" in maybeBasicAuthMethod && maybeBasicAuthMethod.basic != null;
+}
+
+// src/http/guards/isHmacMethod.ts
+function isHmacMethod(maybeHmacMethod) {
+  return typeof maybeHmacMethod === "object" && maybeHmacMethod !== null && "secretKey" in maybeHmacMethod && maybeHmacMethod.secretKey != null;
+}
+
+// src/http/guards/isJwtAuthMethod.ts
+function isJwtAuthMethod(maybeJwtAuthMethod) {
+  return typeof maybeJwtAuthMethod === "object" && maybeJwtAuthMethod !== null && "jwt" in maybeJwtAuthMethod && maybeJwtAuthMethod.jwt != null;
+}
+
+// src/http/discriminateAuthMethod.ts
 async function discriminateAuthMethod(auth) {
-  if ("basic" in auth) {
-    return {
+  let authMethod;
+  if (isBasicAuthMethod(auth)) {
+    authMethod = {
       type: "basic",
       auth: {
         decodeResource: auth.decodeResource,
         login: auth.basic.login
       }
     };
-  } else if ("jwt" in auth && auth.jwt != null) {
+  } else if (isJwtAuthMethod(auth)) {
     const jwt = auth.jwt;
     let verificationFunction;
-    if ("privateKey" in jwt) {
+    if ("signatureKey" in jwt) {
       verificationFunction = async (token) => {
-        const { payload } = await (0, import_jose.jwtVerify)(token, Buffer.from(jwt.privateKey));
+        const { payload } = await (0, import_jose.jwtVerify)(
+          token,
+          Buffer.from(jwt.signatureKey)
+        );
         return payload;
       };
     } else {
@@ -182,7 +204,7 @@ async function discriminateAuthMethod(auth) {
       if ("jwksPublicKeyUrl" in jwt) {
         const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
         jwks = (await jwksResponse.json()).keys;
-      } else {
+      } else if ("jwksPublicKey" in jwt) {
         jwks = [jwt.jwksPublicKey];
       }
       verificationFunction = async (token) => {
@@ -196,35 +218,35 @@ async function discriminateAuthMethod(auth) {
         }
       };
     }
-    return {
+    authMethod = {
       type: "jwt",
       auth: {
         decodeResource: auth.decodeResource,
         verificationFunction
       }
     };
-  } else if ("secretKey" in auth) {
-    return {
-      type: "system",
-      auth: {
-        secretKey: auth.secretKey
-      }
-    };
-  } else {
-    return {
-      type: "jwt",
+  } else if (isHmacMethod(auth)) {
+    authMethod = {
+      type: "hmac",
       auth: {
-        decodeResource: auth.decodeResource,
-        verificationFunction: async (token) => {
-          const { payload } = await (0, import_jose.jwtVerify)(
-            token,
-            Buffer.from(process.env.JWT_SECRET_KEY)
-          );
-          return payload;
+        secretKeys: auth.hmac.secretKeys,
+        verificationFunction: async (method, path, body, timestamp, nonce, signature, secretKey) => {
+          const hmac = (0, import_crypto.createHmac)("sha256", secretKey);
+          hmac.update(`${method}
+${path}
+${body}
+${timestamp}
+${nonce}`);
+          const digest = hmac.digest("base64");
+          return digest === signature;
         }
       }
     };
   }
+  if (authMethod == null) {
+    throw new Error("Invalid auth method");
+  }
+  return authMethod;
 }
 
 // src/http/guards/hasPermissionChecks.ts
@@ -242,19 +264,14 @@ function hasScopeChecks(maybePermissionedAuth) {
   return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && "requiredScope" in maybePermissionedAuth && maybePermissionedAuth.requiredScope != null;
 }
 
-// src/http/guards/isSystemAuthMethod.ts
-function isSystemAuthMethod(maybeSystemAuthMethod) {
-  return typeof maybeSystemAuthMethod === "object" && maybeSystemAuthMethod !== null && "secretKey" in maybeSystemAuthMethod;
-}
-
 // src/http/middleware/request/auth.middleware.ts
 var invalidAuthorizationTokenFormat = [
   401,
   "Invalid Authorization token format."
 ];
-var invalidAuthorizationSubject = [
+var invalidAuthorizationSignature = [
   403,
-  "Invalid Authorization subject."
+  "Invalid Authorization signature."
 ];
 var invalidAuthorizationTokenPermissions = [
   403,
@@ -281,6 +298,16 @@ var authorizationTokenRequired = [
   401,
   "Authorization token required."
 ];
+var invalidInstantiation = [
+  500,
+  "Invalid instantiation of authorization method."
+];
+function parseHmacTokenPart(part, expectedKey) {
+  if (!part) return void 0;
+  const [key, ...rest] = part.split("=");
+  if (key !== expectedKey || rest.length === 0) return void 0;
+  return rest.join("=");
+}
 async function checkAuthorizationToken(authorizationMethod, globalOptions, authorizationToken, req) {
   if (authorizationMethod == null) {
     return void 0;
@@ -292,27 +319,54 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
   if (authorizationToken == null) {
     return authorizationTokenRequired;
   }
-  const [tokenPrefix, token] = authorizationToken.split(" ");
+  const [tokenPrefix, ...tokenParts] = authorizationToken.split(" ");
+  if (!tokenParts.length || !tokenPrefix) {
+    return invalidAuthorizationTokenFormat;
+  }
   let resourceId;
   const { type, auth } = await discriminateAuthMethod(
     collapsedAuthorizationMethod
   );
   switch (type) {
-    case "system": {
-      if (token !== auth.secretKey || tokenPrefix !== collapsedAuthorizationMethod.tokenPrefix) {
+    case "hmac": {
+      const [keyId, timestamp, nonce, signature] = tokenParts;
+      if (keyId == null || timestamp == null || nonce == null || signature == null || tokenPrefix !== (collapsedAuthorizationMethod.tokenPrefix ?? "HMAC")) {
         return invalidAuthorizationToken;
       }
+      if (!collapsedAuthorizationMethod.hmac?.secretKeys) {
+        return invalidInstantiation;
+      }
+      const parsedKeyId = parseHmacTokenPart(keyId, "keyId");
+      const parsedTimestamp = parseHmacTokenPart(timestamp, "ts");
+      const parsedNonce = parseHmacTokenPart(nonce, "nonce");
+      const parsedSignature = parseHmacTokenPart(signature, "signature");
+      if (!parsedKeyId || !parsedTimestamp || !parsedNonce || !parsedSignature) {
+        return invalidAuthorizationTokenFormat;
+      }
+      const verificationResult = await auth.verificationFunction(
+        req?.method ?? "",
+        req?.path ?? "",
+        JSON.stringify(req?.body ?? ""),
+        parsedTimestamp,
+        parsedNonce,
+        parsedSignature,
+        collapsedAuthorizationMethod.hmac.secretKeys[parsedKeyId]
+      );
+      if (!verificationResult) {
+        return invalidAuthorizationSignature;
+      }
       resourceId = null;
       break;
     }
     case "jwt": {
+      const [token] = tokenParts;
       if (tokenPrefix !== (collapsedAuthorizationMethod.tokenPrefix ?? "Bearer")) {
         return invalidAuthorizationTokenFormat;
       }
       try {
         const decodedJwt = "decodeResource" in auth && auth.decodeResource ? await auth.decodeResource(token) : "verificationFunction" in auth && auth.verificationFunction ? await auth.verificationFunction(token) : void 0;
         if (!decodedJwt) {
-          return invalidAuthorizationSubject;
+          return invalidAuthorizationToken;
         }
         resourceId = decodedJwt;
       } catch (error) {
@@ -322,6 +376,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       break;
     }
     case "basic": {
+      const [token] = tokenParts;
       if (tokenPrefix !== (collapsedAuthorizationMethod.tokenPrefix ?? "Basic")) {
         return invalidAuthorizationTokenFormat;
       }
@@ -345,9 +400,12 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       (0, import_common2.isNever)(type);
       return [401, "Invalid Authorization method."];
   }
-  if (isSystemAuthMethod(collapsedAuthorizationMethod) || resourceId == null) {
+  if (isHmacMethod(collapsedAuthorizationMethod) && resourceId == null) {
     return;
   }
+  if (resourceId == null) {
+    return invalidAuthorizationToken;
+  }
   if (hasScopeChecks(collapsedAuthorizationMethod)) {
     if (collapsedAuthorizationMethod.surfaceScopes) {
       const resourceScopes = await collapsedAuthorizationMethod.surfaceScopes(
@@ -1345,13 +1403,15 @@ var ForklaunchExpressLikeRouter = class _ForklaunchExpressLikeRouter {
       const maybeTypedHandler = middlewareOrMiddlewareAndTypedHandler[middlewareOrMiddlewareAndTypedHandler.length - 1];
       if (isTypedHandler(maybeTypedHandler)) {
         const { contractDetails, handlers } = maybeTypedHandler;
-        const router = this.registerRoute(
-          method,
-          path,
-          registrationMethod,
-          contractDetails,
-          ...middlewareOrMiddlewareAndTypedHandler.concat(handlers)
-        );
+        const finalHandlers = [];
+        if (isExpressLikeSchemaHandler(contractDetailsOrMiddlewareOrTypedHandler)) {
+          finalHandlers.push(
+            contractDetailsOrMiddlewareOrTypedHandler
+          );
+        }
+        finalHandlers.push(...middlewareOrMiddlewareAndTypedHandler);
+        finalHandlers.push(...handlers);
+        const router = this.registerRoute(method, path, registrationMethod, contractDetails, ...finalHandlers);
         return router;
       } else {
         if (isExpressLikeSchemaHandler(contractDetailsOrMiddlewareOrTypedHandler) || isTypedHandler(contractDetailsOrMiddlewareOrTypedHandler)) {
@@ -1560,6 +1620,10 @@ var ForklaunchExpressLikeRouter = class _ForklaunchExpressLikeRouter {
     ].forEach((arg) => {
       if (isForklaunchRouter(arg)) {
         this.routers.push(arg);
+        arg.routerOptions = {
+          ...this.routerOptions ?? {},
+          ...arg.routerOptions ?? {}
+        };
       }
     });
     return this.registerNestableMiddlewareHandler(