@forklaunch/core 0.14.8 → 0.14.11-beta.1

package/lib/http/index.mjs

@@ -81,11 +81,15 @@ function isTypedHandler(maybeTypedHandler) {
 
 // src/http/middleware/request/auth.middleware.ts
 import { isNever } from "@forklaunch/common";
+import {
+  prettyPrintParseErrors
+} from "@forklaunch/validator";
 
 // src/http/discriminateAuthMethod.ts
 import { jwtVerify } from "jose";
 
 // src/http/createHmacToken.ts
+import { safeStringify } from "@forklaunch/common";
 import { createHmac } from "crypto";
 function createHmacToken({
   method,
@@ -96,11 +100,14 @@ function createHmacToken({
   secretKey
 }) {
   const hmac = createHmac("sha256", secretKey);
-  hmac.update(`${method}
+  const bodyString = body ? `${safeStringify(body)}
+` : void 0;
+  hmac.update(
+    `${method}
 ${path}
-${body}
-${timestamp}
-${nonce}`);
+${bodyString}${timestamp.toISOString()}
+${nonce}`
+  );
   return hmac.digest("base64");
 }
 
@@ -120,6 +127,12 @@ function isJwtAuthMethod(maybeJwtAuthMethod) {
 }
 
 // src/http/discriminateAuthMethod.ts
+var DEFAULT_TTL = 60 * 1e3 * 5;
+var memoizedJwks = {
+  value: null,
+  lastUpdated: null,
+  ttl: DEFAULT_TTL
+};
 async function discriminateAuthMethod(auth) {
   let authMethod;
   if (isBasicAuthMethod(auth)) {
@@ -144,8 +157,17 @@ async function discriminateAuthMethod(auth) {
     } else {
       let jwks;
       if ("jwksPublicKeyUrl" in jwt) {
-        const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
-        jwks = (await jwksResponse.json()).keys;
+        if (memoizedJwks.value && memoizedJwks.lastUpdated && Date.now() - memoizedJwks.lastUpdated.getTime() < memoizedJwks.ttl) {
+          jwks = memoizedJwks.value;
+        } else {
+          const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
+          jwks = (await jwksResponse.json()).keys;
+          memoizedJwks.value = jwks;
+          memoizedJwks.lastUpdated = /* @__PURE__ */ new Date();
+          memoizedJwks.ttl = parseInt(
+            jwksResponse.headers.get("cache-control")?.split("=")[1] ?? `${DEFAULT_TTL / 1e3}`
+          ) * 1e3;
+        }
       } else if ("jwksPublicKey" in jwt) {
         jwks = [jwt.jwksPublicKey];
       }
@@ -155,6 +177,9 @@ async function discriminateAuthMethod(auth) {
             const { payload } = await jwtVerify(token, key);
             return payload;
           } catch {
+            memoizedJwks.value = null;
+            memoizedJwks.lastUpdated = null;
+            memoizedJwks.ttl = DEFAULT_TTL;
             continue;
           }
         }
@@ -172,7 +197,15 @@ async function discriminateAuthMethod(auth) {
       type: "hmac",
       auth: {
         secretKeys: auth.hmac.secretKeys,
-        verificationFunction: async (method, path, body, timestamp, nonce, signature, secretKey) => {
+        verificationFunction: async ({
+          method,
+          path,
+          body,
+          timestamp,
+          nonce,
+          signature,
+          secretKey
+        }) => {
           return createHmacToken({
             method,
             path,
@@ -250,7 +283,7 @@ function parseHmacTokenPart(part, expectedKey) {
   if (key !== expectedKey || rest.length === 0) return void 0;
   return rest.join("=");
 }
-async function checkAuthorizationToken(authorizationMethod, globalOptions, authorizationToken, req) {
+async function checkAuthorizationToken(req, authorizationMethod, authorizationToken, globalOptions) {
   if (authorizationMethod == null) {
     return void 0;
   }
@@ -265,7 +298,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
   if (!tokenParts.length || !tokenPrefix) {
     return invalidAuthorizationTokenFormat;
   }
-  let resourceId;
+  let sessionPayload;
   const { type, auth } = await discriminateAuthMethod(
     collapsedAuthorizationMethod
   );
@@ -285,19 +318,19 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       if (!parsedKeyId || !parsedTimestamp || !parsedNonce || !parsedSignature) {
         return invalidAuthorizationTokenFormat;
       }
-      const verificationResult = await auth.verificationFunction(
-        req?.method ?? "",
-        req?.path ?? "",
-        JSON.stringify(req?.body ?? ""),
-        parsedTimestamp,
-        parsedNonce,
-        parsedSignature,
-        collapsedAuthorizationMethod.hmac.secretKeys[parsedKeyId]
-      );
+      const verificationResult = await auth.verificationFunction({
+        method: req?.method ?? "",
+        path: req?.path ?? "",
+        body: req?.body,
+        timestamp: new Date(parsedTimestamp),
+        nonce: parsedNonce,
+        signature: parsedSignature,
+        secretKey: collapsedAuthorizationMethod.hmac.secretKeys[parsedKeyId]
+      });
       if (!verificationResult) {
         return invalidAuthorizationSignature;
       }
-      resourceId = null;
+      sessionPayload = null;
       break;
     }
     case "jwt": {
@@ -310,7 +343,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         if (!decodedJwt) {
           return invalidAuthorizationToken;
         }
-        resourceId = decodedJwt;
+        sessionPayload = decodedJwt;
       } catch (error) {
         req?.openTelemetryCollector.error(error);
         return invalidAuthorizationToken;
@@ -323,7 +356,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         return invalidAuthorizationTokenFormat;
       }
       if (auth.decodeResource) {
-        resourceId = await auth.decodeResource(token);
+        sessionPayload = await auth.decodeResource(token);
       } else {
         const [username, password] = Buffer.from(token, "base64").toString("utf-8").split(":");
         if (!username || !password) {
@@ -332,7 +365,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         if (!auth.login(username, password)) {
           return invalidAuthorizationLogin;
         }
-        resourceId = {
+        sessionPayload = {
           sub: username
         };
       }
@@ -342,16 +375,29 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       isNever(type);
       return [401, "Invalid Authorization method."];
   }
-  if (isHmacMethod(collapsedAuthorizationMethod) && resourceId == null) {
+  if (isHmacMethod(collapsedAuthorizationMethod) && sessionPayload == null) {
     return;
   }
-  if (resourceId == null) {
+  if (sessionPayload == null) {
     return invalidAuthorizationToken;
   }
+  req.session = sessionPayload;
+  if (collapsedAuthorizationMethod.sessionSchema) {
+    const parsedSession = req.schemaValidator.parse(
+      collapsedAuthorizationMethod.sessionSchema,
+      sessionPayload
+    );
+    if (!parsedSession.ok) {
+      return [
+        400,
+        `Invalid session: ${prettyPrintParseErrors(parsedSession.errors, "Session")}`
+      ];
+    }
+  }
   if (hasScopeChecks(collapsedAuthorizationMethod)) {
     if (collapsedAuthorizationMethod.surfaceScopes) {
       const resourceScopes = await collapsedAuthorizationMethod.surfaceScopes(
-        resourceId,
+        sessionPayload,
         req
       );
       if (collapsedAuthorizationMethod.scopeHeirarchy) {
@@ -370,7 +416,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       return [500, "No permission surfacing function provided."];
     }
     const resourcePermissions = await collapsedAuthorizationMethod.surfacePermissions(
-      resourceId,
+      sessionPayload,
       req
     );
     if ("allowedPermissions" in collapsedAuthorizationMethod && collapsedAuthorizationMethod.allowedPermissions) {
@@ -392,7 +438,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       return [500, "No role surfacing function provided."];
     }
     const resourceRoles = await collapsedAuthorizationMethod.surfaceRoles(
-      resourceId,
+      sessionPayload,
       req
     );
     if ("allowedRoles" in collapsedAuthorizationMethod && collapsedAuthorizationMethod.allowedRoles) {
@@ -412,10 +458,10 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
 async function parseRequestAuth(req, res, next) {
   const auth = req.contractDetails.auth;
   const [error, message] = await checkAuthorizationToken(
+    req,
     auth,
-    req._globalOptions?.()?.auth,
     req.headers[auth?.headerName ?? "Authorization"] || req.headers[auth?.headerName ?? "authorization"],
-    req
+    req._globalOptions?.()?.auth
   ) ?? [];
   if (error != null) {
     res.type("text/plain");
@@ -794,7 +840,7 @@ function enrichDetails(path, contractDetails, requestSchema, responseSchemas, op
 // src/http/middleware/request/parse.middleware.ts
 import { isRecord } from "@forklaunch/common";
 import {
-  prettyPrintParseErrors
+  prettyPrintParseErrors as prettyPrintParseErrors2
 } from "@forklaunch/validator";
 
 // src/http/guards/hasSend.ts
@@ -833,7 +879,7 @@ function parse(req, res, next) {
           req.version = version;
           res.version = req.version;
         } else {
-          runningParseErrors += prettyPrintParseErrors(
+          runningParseErrors += prettyPrintParseErrors2(
             parsingResult.errors,
             `Version ${version} request`
           );
@@ -891,7 +937,7 @@ function parse(req, res, next) {
         res.status(400);
         if (hasSend(res)) {
           res.send(
-            `${collectedParseErrors ?? prettyPrintParseErrors(parsedRequest.errors, "Request")}
+            `${collectedParseErrors ?? prettyPrintParseErrors2(parsedRequest.errors, "Request")}
 
 Correlation id: ${req.context.correlationId ?? "No correlation ID"}`
           );
@@ -901,7 +947,7 @@ Correlation id: ${req.context.correlationId ?? "No correlation ID"}`
         return;
       case "warning":
         req.openTelemetryCollector.warn(
-          collectedParseErrors ?? prettyPrintParseErrors(parsedRequest.errors, "Request")
+          collectedParseErrors ?? prettyPrintParseErrors2(parsedRequest.errors, "Request")
         );
         break;
       case "none":
@@ -2919,7 +2965,7 @@ var getCodeForStatus = (status) => {
 var httpStatusCodes_default = HTTPStatuses;
 
 // src/http/mcpGenerator/mcpGenerator.ts
-import { isNever as isNever3, isRecord as isRecord3, safeStringify } from "@forklaunch/common";
+import { isNever as isNever3, isRecord as isRecord3, safeStringify as safeStringify2 } from "@forklaunch/common";
 import { FastMCP } from "@forklaunch/fastmcp-fork";
 import { string, ZodSchemaValidator } from "@forklaunch/validator/zod";
 
@@ -3056,7 +3102,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
           if (discriminatedBody) {
             switch (discriminatedBody.parserType) {
               case "json": {
-                parsedBody = safeStringify(body);
+                parsedBody = safeStringify2(body);
                 break;
               }
               case "text": {
@@ -3088,7 +3134,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
                   parsedBody = new URLSearchParams(
                     Object.entries(body).map(([key, value]) => [
                       key,
-                      safeStringify(value)
+                      safeStringify2(value)
                     ])
                   );
                 } else {
@@ -3098,7 +3144,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
               }
               default: {
                 isNever3(discriminatedBody.parserType);
-                parsedBody = safeStringify(body);
+                parsedBody = safeStringify2(body);
                 break;
               }
             }
@@ -3107,7 +3153,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
             const queryString = new URLSearchParams(
               Object.entries(query).map(([key, value]) => [
                 key,
-                safeStringify(value)
+                safeStringify2(value)
               ])
             ).toString();
             url += queryString ? `?${queryString}` : "";
@@ -3140,7 +3186,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
                 content: [
                   {
                     type: "text",
-                    text: safeStringify(await response.json())
+                    text: safeStringify2(await response.json())
                   }
                 ]
               };
@@ -3186,7 +3232,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
 
 // src/http/middleware/response/parse.middleware.ts
 import {
-  prettyPrintParseErrors as prettyPrintParseErrors2
+  prettyPrintParseErrors as prettyPrintParseErrors3
 } from "@forklaunch/validator";
 
 // src/http/guards/isResponseCompiledSchema.ts
@@ -3248,13 +3294,13 @@ function parse2(req, res, next) {
   );
   const parseErrors = [];
   if (!parsedHeaders.ok) {
-    const headerErrors = prettyPrintParseErrors2(parsedHeaders.errors, "Header");
+    const headerErrors = prettyPrintParseErrors3(parsedHeaders.errors, "Header");
     if (headerErrors) {
       parseErrors.push(headerErrors);
     }
   }
   if (!parsedResponse.ok) {
-    const responseErrors = prettyPrintParseErrors2(
+    const responseErrors = prettyPrintParseErrors3(
       parsedResponse.errors,
       "Response"
     );
@@ -3302,7 +3348,7 @@ import {
   isNodeJsWriteableStream,
   isRecord as isRecord4,
   readableStreamToAsyncIterable,
-  safeStringify as safeStringify2
+  safeStringify as safeStringify3
 } from "@forklaunch/common";
 import { Readable, Transform } from "stream";
 
@@ -3406,7 +3452,7 @@ ${res.locals.errorMessage}`;
         if (!errorSent) {
           let data2 = "";
           for (const [key, value] of Object.entries(chunk)) {
-            data2 += `${key}: ${typeof value === "string" ? value : safeStringify2(value)}
+            data2 += `${key}: ${typeof value === "string" ? value : safeStringify3(value)}
 `;
           }
           data2 += "\n";
@@ -3810,7 +3856,7 @@ function generateOpenApiSpecs(schemaValidator, serverUrls, serverDescriptions, a
 }
 
 // src/http/sdk/sdkClient.ts
-import { hashString, safeStringify as safeStringify3, toRecord as toRecord2 } from "@forklaunch/common";
+import { hashString, safeStringify as safeStringify4, toRecord as toRecord2 } from "@forklaunch/common";
 
 // src/http/guards/isSdkRouter.ts
 function isSdkRouter(value) {
@@ -3822,12 +3868,12 @@ function mapToSdk(schemaValidator, routerMap, runningPath = void 0) {
   const routerUniquenessCache = /* @__PURE__ */ new Set();
   return Object.fromEntries(
     Object.entries(routerMap).map(([key, value]) => {
-      if (routerUniquenessCache.has(hashString(safeStringify3(value)))) {
+      if (routerUniquenessCache.has(hashString(safeStringify4(value)))) {
         throw new Error(
           `SdkClient: Cannot use the same router pointer twice. Please clone the duplicate router with .clone() or only use the router once.`
         );
       }
-      routerUniquenessCache.add(hashString(safeStringify3(value)));
+      routerUniquenessCache.add(hashString(safeStringify4(value)));
       const currentPath = runningPath ? [runningPath, key].join(".") : key;
       if (isSdkRouter(value)) {
         Object.entries(value.sdkPaths).forEach(([routePath, sdkKey]) => {
@@ -3879,12 +3925,36 @@ function mapToFetch(schemaValidator, routerMap) {
     return (version ? toRecord2(toRecord2(flattenedFetchMap[path])[method ?? "GET"])[version] : toRecord2(flattenedFetchMap[path])[method ?? "GET"])(path, reqInit[0]);
   });
 }
-function sdkClient(schemaValidator, routerMap) {
-  return {
+function sdkClient(schemaValidator, routerMap, options2) {
+  if (options2?.lazyEvaluation) {
+    let _sdk;
+    let _fetch;
+    const lazyClient = {
+      _finalizedSdk: true,
+      get sdk() {
+        if (!_sdk) {
+          _sdk = mapToSdk(schemaValidator, routerMap);
+        }
+        return _sdk;
+      },
+      get fetch() {
+        if (!_fetch) {
+          _fetch = mapToFetch(schemaValidator, routerMap);
+        }
+        return _fetch;
+      }
+    };
+    return lazyClient;
+  }
+  const client = {
     _finalizedSdk: true,
     sdk: mapToSdk(schemaValidator, routerMap),
     fetch: mapToFetch(schemaValidator, routerMap)
   };
+  if (options2?.optimizePerformance) {
+    return client;
+  }
+  return client;
 }
 
 // src/http/sdk/sdkRouter.ts