npm - @forklaunch/core - Versions diffs - 0.14.9 → 0.14.11 - Mend

@forklaunch/core 0.14.9 → 0.14.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/http/index.js CHANGED Viewed

@@ -158,6 +158,7 @@ function isTypedHandler(maybeTypedHandler) {
 // src/http/middleware/request/auth.middleware.ts
 var import_common3 = require("@forklaunch/common");
+var import_validator = require("@forklaunch/validator");
 // src/http/discriminateAuthMethod.ts
 var import_jose = require("jose");
@@ -176,10 +177,12 @@ function createHmacToken({
   const hmac = (0, import_crypto.createHmac)("sha256", secretKey);
   const bodyString = body ? `${(0, import_common2.safeStringify)(body)}
 ` : void 0;
-  hmac.update(`${method}
+  hmac.update(
+    `${method}
 ${path}
-${bodyString}${timestamp}
-${nonce}`);
+${bodyString}${timestamp.toISOString()}
+${nonce}`
+  );
   return hmac.digest("base64");
 }
@@ -199,6 +202,12 @@ function isJwtAuthMethod(maybeJwtAuthMethod) {
 }
 // src/http/discriminateAuthMethod.ts
+var DEFAULT_TTL = 60 * 1e3 * 5;
+var memoizedJwks = {
+  value: null,
+  lastUpdated: null,
+  ttl: DEFAULT_TTL
+};
 async function discriminateAuthMethod(auth) {
   let authMethod;
   if (isBasicAuthMethod(auth)) {
@@ -223,8 +232,17 @@ async function discriminateAuthMethod(auth) {
     } else {
       let jwks;
       if ("jwksPublicKeyUrl" in jwt) {
-        const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
-        jwks = (await jwksResponse.json()).keys;
+        if (memoizedJwks.value && memoizedJwks.lastUpdated && Date.now() - memoizedJwks.lastUpdated.getTime() < memoizedJwks.ttl) {
+          jwks = memoizedJwks.value;
+        } else {
+          const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
+          jwks = (await jwksResponse.json()).keys;
+          memoizedJwks.value = jwks;
+          memoizedJwks.lastUpdated = /* @__PURE__ */ new Date();
+          memoizedJwks.ttl = parseInt(
+            jwksResponse.headers.get("cache-control")?.split("=")[1] ?? `${DEFAULT_TTL / 1e3}`
+          ) * 1e3;
+        }
       } else if ("jwksPublicKey" in jwt) {
         jwks = [jwt.jwksPublicKey];
       }
@@ -234,6 +252,9 @@ async function discriminateAuthMethod(auth) {
             const { payload } = await (0, import_jose.jwtVerify)(token, key);
             return payload;
           } catch {
+            memoizedJwks.value = null;
+            memoizedJwks.lastUpdated = null;
+            memoizedJwks.ttl = DEFAULT_TTL;
             continue;
           }
         }
@@ -337,7 +358,7 @@ function parseHmacTokenPart(part, expectedKey) {
   if (key !== expectedKey || rest.length === 0) return void 0;
   return rest.join("=");
 }
-async function checkAuthorizationToken(authorizationMethod, globalOptions, authorizationToken, req) {
+async function checkAuthorizationToken(req, authorizationMethod, authorizationToken, globalOptions) {
   if (authorizationMethod == null) {
     return void 0;
   }
@@ -352,7 +373,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
   if (!tokenParts.length || !tokenPrefix) {
     return invalidAuthorizationTokenFormat;
   }
-  let resourceId;
+  let sessionPayload;
   const { type, auth } = await discriminateAuthMethod(
     collapsedAuthorizationMethod
   );
@@ -376,7 +397,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         method: req?.method ?? "",
         path: req?.path ?? "",
         body: req?.body,
-        timestamp: parsedTimestamp,
+        timestamp: new Date(parsedTimestamp),
         nonce: parsedNonce,
         signature: parsedSignature,
         secretKey: collapsedAuthorizationMethod.hmac.secretKeys[parsedKeyId]
@@ -384,7 +405,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       if (!verificationResult) {
         return invalidAuthorizationSignature;
       }
-      resourceId = null;
+      sessionPayload = null;
       break;
     }
     case "jwt": {
@@ -397,7 +418,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         if (!decodedJwt) {
           return invalidAuthorizationToken;
         }
-        resourceId = decodedJwt;
+        sessionPayload = decodedJwt;
       } catch (error) {
         req?.openTelemetryCollector.error(error);
         return invalidAuthorizationToken;
@@ -410,7 +431,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         return invalidAuthorizationTokenFormat;
       }
       if (auth.decodeResource) {
-        resourceId = await auth.decodeResource(token);
+        sessionPayload = await auth.decodeResource(token);
       } else {
         const [username, password] = Buffer.from(token, "base64").toString("utf-8").split(":");
         if (!username || !password) {
@@ -419,7 +440,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         if (!auth.login(username, password)) {
           return invalidAuthorizationLogin;
         }
-        resourceId = {
+        sessionPayload = {
           sub: username
         };
       }
@@ -429,16 +450,29 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       (0, import_common3.isNever)(type);
       return [401, "Invalid Authorization method."];
   }
-  if (isHmacMethod(collapsedAuthorizationMethod) && resourceId == null) {
+  if (isHmacMethod(collapsedAuthorizationMethod) && sessionPayload == null) {
     return;
   }
-  if (resourceId == null) {
+  if (sessionPayload == null) {
     return invalidAuthorizationToken;
   }
+  req.session = sessionPayload;
+  if (collapsedAuthorizationMethod.sessionSchema) {
+    const parsedSession = req.schemaValidator.parse(
+      collapsedAuthorizationMethod.sessionSchema,
+      sessionPayload
+    );
+    if (!parsedSession.ok) {
+      return [
+        400,
+        `Invalid session: ${(0, import_validator.prettyPrintParseErrors)(parsedSession.errors, "Session")}`
+      ];
+    }
+  }
   if (hasScopeChecks(collapsedAuthorizationMethod)) {
     if (collapsedAuthorizationMethod.surfaceScopes) {
       const resourceScopes = await collapsedAuthorizationMethod.surfaceScopes(
-        resourceId,
+        sessionPayload,
         req
       );
       if (collapsedAuthorizationMethod.scopeHeirarchy) {
@@ -457,7 +491,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       return [500, "No permission surfacing function provided."];
     }
     const resourcePermissions = await collapsedAuthorizationMethod.surfacePermissions(
-      resourceId,
+      sessionPayload,
       req
     );
     if ("allowedPermissions" in collapsedAuthorizationMethod && collapsedAuthorizationMethod.allowedPermissions) {
@@ -479,7 +513,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       return [500, "No role surfacing function provided."];
     }
     const resourceRoles = await collapsedAuthorizationMethod.surfaceRoles(
-      resourceId,
+      sessionPayload,
       req
     );
     if ("allowedRoles" in collapsedAuthorizationMethod && collapsedAuthorizationMethod.allowedRoles) {
@@ -499,10 +533,10 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
 async function parseRequestAuth(req, res, next) {
   const auth = req.contractDetails.auth;
   const [error, message] = await checkAuthorizationToken(
+    req,
     auth,
-    req._globalOptions?.()?.auth,
     req.headers[auth?.headerName ?? "Authorization"] || req.headers[auth?.headerName ?? "authorization"],
-    req
+    req._globalOptions?.()?.auth
   ) ?? [];
   if (error != null) {
     res.type("text/plain");
@@ -871,7 +905,7 @@ function enrichDetails(path, contractDetails, requestSchema, responseSchemas, op
 // src/http/middleware/request/parse.middleware.ts
 var import_common8 = require("@forklaunch/common");
-var import_validator = require("@forklaunch/validator");
+var import_validator2 = require("@forklaunch/validator");
 // src/http/guards/hasSend.ts
 function hasSend(res) {
@@ -909,7 +943,7 @@ function parse(req, res, next) {
           req.version = version;
           res.version = req.version;
         } else {
-          runningParseErrors += (0, import_validator.prettyPrintParseErrors)(
+          runningParseErrors += (0, import_validator2.prettyPrintParseErrors)(
             parsingResult.errors,
             `Version ${version} request`
           );
@@ -967,7 +1001,7 @@ function parse(req, res, next) {
         res.status(400);
         if (hasSend(res)) {
           res.send(
-            `${collectedParseErrors ?? (0, import_validator.prettyPrintParseErrors)(parsedRequest.errors, "Request")}
+            `${collectedParseErrors ?? (0, import_validator2.prettyPrintParseErrors)(parsedRequest.errors, "Request")}
 Correlation id: ${req.context.correlationId ?? "No correlation ID"}`
           );
@@ -977,7 +1011,7 @@ Correlation id: ${req.context.correlationId ?? "No correlation ID"}`
         return;
       case "warning":
         req.openTelemetryCollector.warn(
-          collectedParseErrors ?? (0, import_validator.prettyPrintParseErrors)(parsedRequest.errors, "Request")
+          collectedParseErrors ?? (0, import_validator2.prettyPrintParseErrors)(parsedRequest.errors, "Request")
         );
         break;
       case "none":
@@ -3261,7 +3295,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
 }
 // src/http/middleware/response/parse.middleware.ts
-var import_validator2 = require("@forklaunch/validator");
+var import_validator3 = require("@forklaunch/validator");
 // src/http/guards/isResponseCompiledSchema.ts
 function isResponseCompiledSchema(schema) {
@@ -3322,13 +3356,13 @@ function parse2(req, res, next) {
   );
   const parseErrors = [];
   if (!parsedHeaders.ok) {
-    const headerErrors = (0, import_validator2.prettyPrintParseErrors)(parsedHeaders.errors, "Header");
+    const headerErrors = (0, import_validator3.prettyPrintParseErrors)(parsedHeaders.errors, "Header");
     if (headerErrors) {
       parseErrors.push(headerErrors);
     }
   }
   if (!parsedResponse.ok) {
-    const responseErrors = (0, import_validator2.prettyPrintParseErrors)(
+    const responseErrors = (0, import_validator3.prettyPrintParseErrors)(
       parsedResponse.errors,
       "Response"
     );