@forklaunch/core 0.14.9 → 0.14.11

package/lib/http/index.mjs

@@ -81,6 +81,9 @@ function isTypedHandler(maybeTypedHandler) {
 
 // src/http/middleware/request/auth.middleware.ts
 import { isNever } from "@forklaunch/common";
+import {
+  prettyPrintParseErrors
+} from "@forklaunch/validator";
 
 // src/http/discriminateAuthMethod.ts
 import { jwtVerify } from "jose";
@@ -99,10 +102,12 @@ function createHmacToken({
   const hmac = createHmac("sha256", secretKey);
   const bodyString = body ? `${safeStringify(body)}
 ` : void 0;
-  hmac.update(`${method}
+  hmac.update(
+    `${method}
 ${path}
-${bodyString}${timestamp}
-${nonce}`);
+${bodyString}${timestamp.toISOString()}
+${nonce}`
+  );
   return hmac.digest("base64");
 }
 
@@ -122,6 +127,12 @@ function isJwtAuthMethod(maybeJwtAuthMethod) {
 }
 
 // src/http/discriminateAuthMethod.ts
+var DEFAULT_TTL = 60 * 1e3 * 5;
+var memoizedJwks = {
+  value: null,
+  lastUpdated: null,
+  ttl: DEFAULT_TTL
+};
 async function discriminateAuthMethod(auth) {
   let authMethod;
   if (isBasicAuthMethod(auth)) {
@@ -146,8 +157,17 @@ async function discriminateAuthMethod(auth) {
     } else {
       let jwks;
       if ("jwksPublicKeyUrl" in jwt) {
-        const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
-        jwks = (await jwksResponse.json()).keys;
+        if (memoizedJwks.value && memoizedJwks.lastUpdated && Date.now() - memoizedJwks.lastUpdated.getTime() < memoizedJwks.ttl) {
+          jwks = memoizedJwks.value;
+        } else {
+          const jwksResponse = await fetch(jwt.jwksPublicKeyUrl);
+          jwks = (await jwksResponse.json()).keys;
+          memoizedJwks.value = jwks;
+          memoizedJwks.lastUpdated = /* @__PURE__ */ new Date();
+          memoizedJwks.ttl = parseInt(
+            jwksResponse.headers.get("cache-control")?.split("=")[1] ?? `${DEFAULT_TTL / 1e3}`
+          ) * 1e3;
+        }
       } else if ("jwksPublicKey" in jwt) {
         jwks = [jwt.jwksPublicKey];
       }
@@ -157,6 +177,9 @@ async function discriminateAuthMethod(auth) {
             const { payload } = await jwtVerify(token, key);
             return payload;
           } catch {
+            memoizedJwks.value = null;
+            memoizedJwks.lastUpdated = null;
+            memoizedJwks.ttl = DEFAULT_TTL;
             continue;
           }
         }
@@ -260,7 +283,7 @@ function parseHmacTokenPart(part, expectedKey) {
   if (key !== expectedKey || rest.length === 0) return void 0;
   return rest.join("=");
 }
-async function checkAuthorizationToken(authorizationMethod, globalOptions, authorizationToken, req) {
+async function checkAuthorizationToken(req, authorizationMethod, authorizationToken, globalOptions) {
   if (authorizationMethod == null) {
     return void 0;
   }
@@ -275,7 +298,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
   if (!tokenParts.length || !tokenPrefix) {
     return invalidAuthorizationTokenFormat;
   }
-  let resourceId;
+  let sessionPayload;
   const { type, auth } = await discriminateAuthMethod(
     collapsedAuthorizationMethod
   );
@@ -299,7 +322,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         method: req?.method ?? "",
         path: req?.path ?? "",
         body: req?.body,
-        timestamp: parsedTimestamp,
+        timestamp: new Date(parsedTimestamp),
         nonce: parsedNonce,
         signature: parsedSignature,
         secretKey: collapsedAuthorizationMethod.hmac.secretKeys[parsedKeyId]
@@ -307,7 +330,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       if (!verificationResult) {
         return invalidAuthorizationSignature;
       }
-      resourceId = null;
+      sessionPayload = null;
       break;
     }
     case "jwt": {
@@ -320,7 +343,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         if (!decodedJwt) {
           return invalidAuthorizationToken;
         }
-        resourceId = decodedJwt;
+        sessionPayload = decodedJwt;
       } catch (error) {
         req?.openTelemetryCollector.error(error);
         return invalidAuthorizationToken;
@@ -333,7 +356,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         return invalidAuthorizationTokenFormat;
       }
       if (auth.decodeResource) {
-        resourceId = await auth.decodeResource(token);
+        sessionPayload = await auth.decodeResource(token);
       } else {
         const [username, password] = Buffer.from(token, "base64").toString("utf-8").split(":");
         if (!username || !password) {
@@ -342,7 +365,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
         if (!auth.login(username, password)) {
           return invalidAuthorizationLogin;
         }
-        resourceId = {
+        sessionPayload = {
           sub: username
         };
       }
@@ -352,16 +375,29 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       isNever(type);
       return [401, "Invalid Authorization method."];
   }
-  if (isHmacMethod(collapsedAuthorizationMethod) && resourceId == null) {
+  if (isHmacMethod(collapsedAuthorizationMethod) && sessionPayload == null) {
     return;
   }
-  if (resourceId == null) {
+  if (sessionPayload == null) {
     return invalidAuthorizationToken;
   }
+  req.session = sessionPayload;
+  if (collapsedAuthorizationMethod.sessionSchema) {
+    const parsedSession = req.schemaValidator.parse(
+      collapsedAuthorizationMethod.sessionSchema,
+      sessionPayload
+    );
+    if (!parsedSession.ok) {
+      return [
+        400,
+        `Invalid session: ${prettyPrintParseErrors(parsedSession.errors, "Session")}`
+      ];
+    }
+  }
   if (hasScopeChecks(collapsedAuthorizationMethod)) {
     if (collapsedAuthorizationMethod.surfaceScopes) {
       const resourceScopes = await collapsedAuthorizationMethod.surfaceScopes(
-        resourceId,
+        sessionPayload,
         req
       );
       if (collapsedAuthorizationMethod.scopeHeirarchy) {
@@ -380,7 +416,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       return [500, "No permission surfacing function provided."];
     }
     const resourcePermissions = await collapsedAuthorizationMethod.surfacePermissions(
-      resourceId,
+      sessionPayload,
       req
     );
     if ("allowedPermissions" in collapsedAuthorizationMethod && collapsedAuthorizationMethod.allowedPermissions) {
@@ -402,7 +438,7 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
       return [500, "No role surfacing function provided."];
     }
     const resourceRoles = await collapsedAuthorizationMethod.surfaceRoles(
-      resourceId,
+      sessionPayload,
       req
     );
     if ("allowedRoles" in collapsedAuthorizationMethod && collapsedAuthorizationMethod.allowedRoles) {
@@ -422,10 +458,10 @@ async function checkAuthorizationToken(authorizationMethod, globalOptions, autho
 async function parseRequestAuth(req, res, next) {
   const auth = req.contractDetails.auth;
   const [error, message] = await checkAuthorizationToken(
+    req,
     auth,
-    req._globalOptions?.()?.auth,
     req.headers[auth?.headerName ?? "Authorization"] || req.headers[auth?.headerName ?? "authorization"],
-    req
+    req._globalOptions?.()?.auth
   ) ?? [];
   if (error != null) {
     res.type("text/plain");
@@ -804,7 +840,7 @@ function enrichDetails(path, contractDetails, requestSchema, responseSchemas, op
 // src/http/middleware/request/parse.middleware.ts
 import { isRecord } from "@forklaunch/common";
 import {
-  prettyPrintParseErrors
+  prettyPrintParseErrors as prettyPrintParseErrors2
 } from "@forklaunch/validator";
 
 // src/http/guards/hasSend.ts
@@ -843,7 +879,7 @@ function parse(req, res, next) {
           req.version = version;
           res.version = req.version;
         } else {
-          runningParseErrors += prettyPrintParseErrors(
+          runningParseErrors += prettyPrintParseErrors2(
             parsingResult.errors,
             `Version ${version} request`
           );
@@ -901,7 +937,7 @@ function parse(req, res, next) {
         res.status(400);
         if (hasSend(res)) {
           res.send(
-            `${collectedParseErrors ?? prettyPrintParseErrors(parsedRequest.errors, "Request")}
+            `${collectedParseErrors ?? prettyPrintParseErrors2(parsedRequest.errors, "Request")}
 
 Correlation id: ${req.context.correlationId ?? "No correlation ID"}`
           );
@@ -911,7 +947,7 @@ Correlation id: ${req.context.correlationId ?? "No correlation ID"}`
         return;
       case "warning":
         req.openTelemetryCollector.warn(
-          collectedParseErrors ?? prettyPrintParseErrors(parsedRequest.errors, "Request")
+          collectedParseErrors ?? prettyPrintParseErrors2(parsedRequest.errors, "Request")
         );
         break;
       case "none":
@@ -3196,7 +3232,7 @@ function generateMcpServer(schemaValidator, protocol, host, port, version, appli
 
 // src/http/middleware/response/parse.middleware.ts
 import {
-  prettyPrintParseErrors as prettyPrintParseErrors2
+  prettyPrintParseErrors as prettyPrintParseErrors3
 } from "@forklaunch/validator";
 
 // src/http/guards/isResponseCompiledSchema.ts
@@ -3258,13 +3294,13 @@ function parse2(req, res, next) {
   );
   const parseErrors = [];
   if (!parsedHeaders.ok) {
-    const headerErrors = prettyPrintParseErrors2(parsedHeaders.errors, "Header");
+    const headerErrors = prettyPrintParseErrors3(parsedHeaders.errors, "Header");
     if (headerErrors) {
       parseErrors.push(headerErrors);
     }
   }
   if (!parsedResponse.ok) {
-    const responseErrors = prettyPrintParseErrors2(
+    const responseErrors = prettyPrintParseErrors3(
       parsedResponse.errors,
       "Response"
     );