npm - @frontmcp/sdk - Versions diffs - 0.6.1 → 0.6.2 - Mend

@frontmcp/sdk 0.6.1 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1059) hide show

package/src/auth/jwks/dev-key-persistence.js DELETED Viewed

@@ -1,219 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isDevKeyPersistenceEnabled = isDevKeyPersistenceEnabled;
-exports.resolveKeyPath = resolveKeyPath;
-exports.loadDevKey = loadDevKey;
-exports.saveDevKey = saveDevKey;
-exports.deleteDevKey = deleteDevKey;
-const tslib_1 = require("tslib");
-// auth/jwks/dev-key-persistence.ts
-const fs = tslib_1.__importStar(require("fs/promises"));
-const path = tslib_1.__importStar(require("path"));
-const crypto = tslib_1.__importStar(require("crypto"));
-const zod_1 = require("zod");
-const DEFAULT_KEY_PATH = '.frontmcp/dev-keys.json';
-/**
- * Zod schema for RSA JWK private key
- */
-const rsaPrivateKeySchema = zod_1.z
-    .object({
-    kty: zod_1.z.literal('RSA'),
-    n: zod_1.z.string().min(1),
-    e: zod_1.z.string().min(1),
-    d: zod_1.z.string().min(1),
-    p: zod_1.z.string().optional(),
-    q: zod_1.z.string().optional(),
-    dp: zod_1.z.string().optional(),
-    dq: zod_1.z.string().optional(),
-    qi: zod_1.z.string().optional(),
-})
-    .passthrough();
-/**
- * Zod schema for EC JWK private key
- */
-const ecPrivateKeySchema = zod_1.z
-    .object({
-    kty: zod_1.z.literal('EC'),
-    crv: zod_1.z.string().min(1),
-    x: zod_1.z.string().min(1),
-    y: zod_1.z.string().min(1),
-    d: zod_1.z.string().min(1),
-})
-    .passthrough();
-/**
- * Zod schema for public JWK (used in JWKS)
- */
-const publicJwkSchema = zod_1.z
-    .object({
-    kty: zod_1.z.enum(['RSA', 'EC']),
-    kid: zod_1.z.string().min(1),
-    alg: zod_1.z.enum(['RS256', 'ES256']),
-    use: zod_1.z.literal('sig'),
-})
-    .passthrough();
-/**
- * Zod schema for JWKS
- */
-const jwksSchema = zod_1.z.object({
-    keys: zod_1.z.array(publicJwkSchema).min(1),
-});
-/**
- * Zod schema for DevKeyData
- */
-const devKeyDataSchema = zod_1.z.object({
-    kid: zod_1.z.string().min(1),
-    privateKey: zod_1.z.union([rsaPrivateKeySchema, ecPrivateKeySchema]),
-    publicJwk: jwksSchema,
-    createdAt: zod_1.z.number().positive().int(),
-    alg: zod_1.z.enum(['RS256', 'ES256']),
-});
-/**
- * Validate JWK structure based on algorithm
- */
-function validateJwkStructure(data) {
-    const result = devKeyDataSchema.safeParse(data);
-    if (!result.success) {
-        return { valid: false, error: result.error.issues[0]?.message ?? 'Invalid JWK structure' };
-    }
-    const parsed = result.data;
-    // Verify algorithm matches key type
-    if (parsed.alg === 'RS256' && parsed.privateKey.kty !== 'RSA') {
-        return { valid: false, error: 'Algorithm RS256 requires RSA key type' };
-    }
-    if (parsed.alg === 'ES256' && parsed.privateKey.kty !== 'EC') {
-        return { valid: false, error: 'Algorithm ES256 requires EC key type' };
-    }
-    // Verify public key matches private key algorithm
-    const publicKey = parsed.publicJwk.keys[0];
-    if (publicKey.kty !== parsed.privateKey.kty) {
-        return { valid: false, error: 'Public and private key types do not match' };
-    }
-    // Verify kid consistency between top-level and publicJwk
-    if (publicKey.kid !== parsed.kid) {
-        return { valid: false, error: 'kid mismatch between top-level and publicJwk' };
-    }
-    // Verify createdAt is not in the future and not too old (100 years)
-    const now = Date.now();
-    const hundredYearsMs = 100 * 365 * 24 * 60 * 60 * 1000;
-    if (parsed.createdAt > now) {
-        return { valid: false, error: 'createdAt is in the future' };
-    }
-    if (parsed.createdAt < now - hundredYearsMs) {
-        return { valid: false, error: 'createdAt is too old' };
-    }
-    return { valid: true };
-}
-/**
- * Check if dev key persistence is enabled based on environment and options
- */
-function isDevKeyPersistenceEnabled(options) {
-    const isProduction = process.env['NODE_ENV'] === 'production';
-    // In production, only enable if explicitly forced
-    if (isProduction) {
-        return options?.forceEnable === true;
-    }
-    // In development, enabled by default
-    return true;
-}
-/**
- * Resolve the key file path
- */
-function resolveKeyPath(options) {
-    const keyPath = options?.keyPath ?? DEFAULT_KEY_PATH;
-    // If absolute path, use as-is
-    if (path.isAbsolute(keyPath)) {
-        return keyPath;
-    }
-    // Relative paths are resolved from current working directory
-    return path.resolve(process.cwd(), keyPath);
-}
-/**
- * Load persisted dev key from file
- *
- * @param options - Persistence options
- * @returns The loaded key data or null if not found/invalid
- */
-async function loadDevKey(options) {
-    if (!isDevKeyPersistenceEnabled(options)) {
-        return null;
-    }
-    const keyPath = resolveKeyPath(options);
-    try {
-        const content = await fs.readFile(keyPath, 'utf8');
-        const data = JSON.parse(content);
-        // Validate JWK structure using Zod schema
-        const validation = validateJwkStructure(data);
-        if (!validation.valid) {
-            console.warn(`[DevKeyPersistence] Invalid key file format at ${keyPath}: ${validation.error}, will regenerate`);
-            return null;
-        }
-        console.log(`[DevKeyPersistence] Loaded key (kid=${data.kid}) from ${keyPath}`);
-        return data;
-    }
-    catch (error) {
-        if (error.code === 'ENOENT') {
-            // File doesn't exist - normal for first run
-            return null;
-        }
-        console.warn(`[DevKeyPersistence] Failed to load key from ${keyPath}: ${error.message}`);
-        return null;
-    }
-}
-/**
- * Save dev key to file
- *
- * Uses atomic write (temp file + rename) to prevent corruption.
- * Sets file permissions to 0o600 (owner read/write only) for security.
- *
- * @param keyData - Key data to persist
- * @param options - Persistence options
- * @returns true if save succeeded, false otherwise
- */
-async function saveDevKey(keyData, options) {
-    if (!isDevKeyPersistenceEnabled(options)) {
-        return true; // Not enabled is not a failure
-    }
-    const keyPath = resolveKeyPath(options);
-    const dir = path.dirname(keyPath);
-    const tempPath = `${keyPath}.tmp.${Date.now()}.${crypto.randomBytes(8).toString('hex')}`;
-    try {
-        // Ensure directory exists with restricted permissions
-        await fs.mkdir(dir, { recursive: true, mode: 0o700 });
-        // Write to temp file first (atomic write pattern)
-        const content = JSON.stringify(keyData, null, 2);
-        await fs.writeFile(tempPath, content, { mode: 0o600, encoding: 'utf8' });
-        // Atomic rename to target path
-        await fs.rename(tempPath, keyPath);
-        console.log(`[DevKeyPersistence] Saved key (kid=${keyData.kid}) to ${keyPath}`);
-        return true;
-    }
-    catch (error) {
-        console.error(`[DevKeyPersistence] Failed to save key to ${keyPath}: ${error.message}`);
-        // Clean up temp file if it exists
-        try {
-            await fs.unlink(tempPath);
-        }
-        catch {
-            // Ignore cleanup errors
-        }
-        return false;
-    }
-}
-/**
- * Delete persisted dev key
- *
- * @param options - Persistence options
- */
-async function deleteDevKey(options) {
-    const keyPath = resolveKeyPath(options);
-    try {
-        await fs.unlink(keyPath);
-        console.log(`[DevKeyPersistence] Deleted key at ${keyPath}`);
-    }
-    catch (error) {
-        if (error.code !== 'ENOENT') {
-            console.warn(`[DevKeyPersistence] Failed to delete key at ${keyPath}: ${error.message}`);
-        }
-    }
-}
-//# sourceMappingURL=dev-key-persistence.js.map

package/src/auth/jwks/dev-key-persistence.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"dev-key-persistence.js","sourceRoot":"","sources":["../../../../src/auth/jwks/dev-key-persistence.ts"],"names":[],"mappings":";;AAmJA,gEAUC;AAKD,wCAUC;AAQD,gCA6BC;AAYD,gCAgCC;AAOD,oCAWC;;AA/QD,mCAAmC;AACnC,wDAAkC;AAClC,mDAA6B;AAC7B,uDAAiC;AAEjC,6BAAwB;AAkCxB,MAAM,gBAAgB,GAAG,yBAAyB,CAAC;AAEnD;;GAEG;AACH,MAAM,mBAAmB,GAAG,OAAC;KAC1B,MAAM,CAAC;IACN,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACxB,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC1B,CAAC;KACD,WAAW,EAAE,CAAC;AAEjB;;GAEG;AACH,MAAM,kBAAkB,GAAG,OAAC;KACzB,MAAM,CAAC;IACN,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACrB,CAAC;KACD,WAAW,EAAE,CAAC;AAEjB;;GAEG;AACH,MAAM,eAAe,GAAG,OAAC;KACtB,MAAM,CAAC;IACN,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC/B,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;CACtB,CAAC;KACD,WAAW,EAAE,CAAC;AAEjB;;GAEG;AACH,MAAM,UAAU,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CACtC,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,gBAAgB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,mBAAmB,EAAE,kBAAkB,CAAC,CAAC;IAC9D,SAAS,EAAE,UAAU;IACrB,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE;IACtC,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;CAChC,CAAC,CAAC;AAEH;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAa;IACzC,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,uBAAuB,EAAE,CAAC;IAC7F,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;IAE3B,oCAAoC;IACpC,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QAC9D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC;IAC1E,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sCAAsC,EAAE,CAAC;IACzE,CAAC;IAED,kDAAkD;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3C,IAAI,SAAS,CAAC,GAAG,KAAK,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC;IAC9E,CAAC;IAED,yDAAyD;IACzD,IAAI,SAAS,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;QACjC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,8CAA8C,EAAE,CAAC;IACjF,CAAC;IAED,oEAAoE;IACpE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,cAAc,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACvD,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;IAC/D,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,GAAG,cAAc,EAAE,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;IACzD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAgB,0BAA0B,CAAC,OAAkC;IAC3E,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAC;IAE9D,kDAAkD;IAClD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,OAAO,EAAE,WAAW,KAAK,IAAI,CAAC;IACvC,CAAC;IAED,qCAAqC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,OAAkC;IAC/D,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,gBAAgB,CAAC;IAErD,8BAA8B;IAC9B,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,6DAA6D;IAC7D,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,UAAU,CAAC,OAAkC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEjC,0CAA0C;QAC1C,MAAM,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,kDAAkD,OAAO,KAAK,UAAU,CAAC,KAAK,mBAAmB,CAAC,CAAC;YAChH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,uCAAuC,IAAI,CAAC,GAAG,UAAU,OAAO,EAAE,CAAC,CAAC;QAChF,OAAO,IAAkB,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvD,4CAA4C;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,+CAA+C,OAAO,KAAM,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACpG,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,UAAU,CAAC,OAAmB,EAAE,OAAkC;IACtF,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,IAAI,CAAC,CAAC,+BAA+B;IAC9C,CAAC;IAED,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,GAAG,OAAO,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAEzF,IAAI,CAAC;QACH,sDAAsD;QACtD,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAEtD,kDAAkD;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACjD,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QAEzE,+BAA+B;QAC/B,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEnC,OAAO,CAAC,GAAG,CAAC,sCAAsC,OAAO,CAAC,GAAG,QAAQ,OAAO,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,6CAA6C,OAAO,KAAM,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACnG,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,YAAY,CAAC,OAAkC;IACnE,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,sCAAsC,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,+CAA+C,OAAO,KAAM,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACtG,CAAC;IACH,CAAC;AACH,CAAC","sourcesContent":["// auth/jwks/dev-key-persistence.ts\nimport * as fs from 'fs/promises';\nimport * as path from 'path';\nimport * as crypto from 'crypto';\nimport { JSONWebKeySet } from 'jose';\nimport { z } from 'zod';\n\n/**\n * Data structure for persisted development keys\n */\nexport interface DevKeyData {\n /** Key ID (kid) */\n kid: string;\n /** Private key in JWK format (portable) */\n privateKey: JsonWebKey;\n /** Public JWKS for verification */\n publicJwk: JSONWebKeySet;\n /** Key creation timestamp (ms) */\n createdAt: number;\n /** Algorithm used */\n alg: 'RS256' | 'ES256';\n}\n\n/**\n * Options for dev key persistence\n */\nexport interface DevKeyPersistenceOptions {\n /**\n * Path to store dev keys\n * @default '.frontmcp/dev-keys.json'\n */\n keyPath?: string;\n /**\n * Enable persistence in production (NOT RECOMMENDED)\n * @default false\n */\n forceEnable?: boolean;\n}\n\nconst DEFAULT_KEY_PATH = '.frontmcp/dev-keys.json';\n\n/**\n * Zod schema for RSA JWK private key\n */\nconst rsaPrivateKeySchema = z\n .object({\n kty: z.literal('RSA'),\n n: z.string().min(1),\n e: z.string().min(1),\n d: z.string().min(1),\n p: z.string().optional(),\n q: z.string().optional(),\n dp: z.string().optional(),\n dq: z.string().optional(),\n qi: z.string().optional(),\n })\n .passthrough();\n\n/**\n * Zod schema for EC JWK private key\n */\nconst ecPrivateKeySchema = z\n .object({\n kty: z.literal('EC'),\n crv: z.string().min(1),\n x: z.string().min(1),\n y: z.string().min(1),\n d: z.string().min(1),\n })\n .passthrough();\n\n/**\n * Zod schema for public JWK (used in JWKS)\n */\nconst publicJwkSchema = z\n .object({\n kty: z.enum(['RSA', 'EC']),\n kid: z.string().min(1),\n alg: z.enum(['RS256', 'ES256']),\n use: z.literal('sig'),\n })\n .passthrough();\n\n/**\n * Zod schema for JWKS\n */\nconst jwksSchema = z.object({\n keys: z.array(publicJwkSchema).min(1),\n});\n\n/**\n * Zod schema for DevKeyData\n */\nconst devKeyDataSchema = z.object({\n kid: z.string().min(1),\n privateKey: z.union([rsaPrivateKeySchema, ecPrivateKeySchema]),\n publicJwk: jwksSchema,\n createdAt: z.number().positive().int(),\n alg: z.enum(['RS256', 'ES256']),\n});\n\n/**\n * Validate JWK structure based on algorithm\n */\nfunction validateJwkStructure(data: unknown): { valid: boolean; error?: string } {\n const result = devKeyDataSchema.safeParse(data);\n if (!result.success) {\n return { valid: false, error: result.error.issues[0]?.message ?? 'Invalid JWK structure' };\n }\n\n const parsed = result.data;\n\n // Verify algorithm matches key type\n if (parsed.alg === 'RS256' && parsed.privateKey.kty !== 'RSA') {\n return { valid: false, error: 'Algorithm RS256 requires RSA key type' };\n }\n if (parsed.alg === 'ES256' && parsed.privateKey.kty !== 'EC') {\n return { valid: false, error: 'Algorithm ES256 requires EC key type' };\n }\n\n // Verify public key matches private key algorithm\n const publicKey = parsed.publicJwk.keys[0];\n if (publicKey.kty !== parsed.privateKey.kty) {\n return { valid: false, error: 'Public and private key types do not match' };\n }\n\n // Verify kid consistency between top-level and publicJwk\n if (publicKey.kid !== parsed.kid) {\n return { valid: false, error: 'kid mismatch between top-level and publicJwk' };\n }\n\n // Verify createdAt is not in the future and not too old (100 years)\n const now = Date.now();\n const hundredYearsMs = 100 * 365 * 24 * 60 * 60 * 1000;\n if (parsed.createdAt > now) {\n return { valid: false, error: 'createdAt is in the future' };\n }\n if (parsed.createdAt < now - hundredYearsMs) {\n return { valid: false, error: 'createdAt is too old' };\n }\n\n return { valid: true };\n}\n\n/**\n * Check if dev key persistence is enabled based on environment and options\n */\nexport function isDevKeyPersistenceEnabled(options?: DevKeyPersistenceOptions): boolean {\n const isProduction = process.env['NODE_ENV'] === 'production';\n\n // In production, only enable if explicitly forced\n if (isProduction) {\n return options?.forceEnable === true;\n }\n\n // In development, enabled by default\n return true;\n}\n\n/**\n * Resolve the key file path\n */\nexport function resolveKeyPath(options?: DevKeyPersistenceOptions): string {\n const keyPath = options?.keyPath ?? DEFAULT_KEY_PATH;\n\n // If absolute path, use as-is\n if (path.isAbsolute(keyPath)) {\n return keyPath;\n }\n\n // Relative paths are resolved from current working directory\n return path.resolve(process.cwd(), keyPath);\n}\n\n/**\n * Load persisted dev key from file\n *\n * @param options - Persistence options\n * @returns The loaded key data or null if not found/invalid\n */\nexport async function loadDevKey(options?: DevKeyPersistenceOptions): Promise<DevKeyData | null> {\n if (!isDevKeyPersistenceEnabled(options)) {\n return null;\n }\n\n const keyPath = resolveKeyPath(options);\n\n try {\n const content = await fs.readFile(keyPath, 'utf8');\n const data = JSON.parse(content);\n\n // Validate JWK structure using Zod schema\n const validation = validateJwkStructure(data);\n if (!validation.valid) {\n console.warn(`[DevKeyPersistence] Invalid key file format at ${keyPath}: ${validation.error}, will regenerate`);\n return null;\n }\n\n console.log(`[DevKeyPersistence] Loaded key (kid=${data.kid}) from ${keyPath}`);\n return data as DevKeyData;\n } catch (error: unknown) {\n if ((error as NodeJS.ErrnoException).code === 'ENOENT') {\n // File doesn't exist - normal for first run\n return null;\n }\n\n console.warn(`[DevKeyPersistence] Failed to load key from ${keyPath}: ${(error as Error).message}`);\n return null;\n }\n}\n\n/**\n * Save dev key to file\n *\n * Uses atomic write (temp file + rename) to prevent corruption.\n * Sets file permissions to 0o600 (owner read/write only) for security.\n *\n * @param keyData - Key data to persist\n * @param options - Persistence options\n * @returns true if save succeeded, false otherwise\n */\nexport async function saveDevKey(keyData: DevKeyData, options?: DevKeyPersistenceOptions): Promise<boolean> {\n if (!isDevKeyPersistenceEnabled(options)) {\n return true; // Not enabled is not a failure\n }\n\n const keyPath = resolveKeyPath(options);\n const dir = path.dirname(keyPath);\n const tempPath = `${keyPath}.tmp.${Date.now()}.${crypto.randomBytes(8).toString('hex')}`;\n\n try {\n // Ensure directory exists with restricted permissions\n await fs.mkdir(dir, { recursive: true, mode: 0o700 });\n\n // Write to temp file first (atomic write pattern)\n const content = JSON.stringify(keyData, null, 2);\n await fs.writeFile(tempPath, content, { mode: 0o600, encoding: 'utf8' });\n\n // Atomic rename to target path\n await fs.rename(tempPath, keyPath);\n\n console.log(`[DevKeyPersistence] Saved key (kid=${keyData.kid}) to ${keyPath}`);\n return true;\n } catch (error: unknown) {\n console.error(`[DevKeyPersistence] Failed to save key to ${keyPath}: ${(error as Error).message}`);\n // Clean up temp file if it exists\n try {\n await fs.unlink(tempPath);\n } catch {\n // Ignore cleanup errors\n }\n return false;\n }\n}\n\n/**\n * Delete persisted dev key\n *\n * @param options - Persistence options\n */\nexport async function deleteDevKey(options?: DevKeyPersistenceOptions): Promise<void> {\n const keyPath = resolveKeyPath(options);\n\n try {\n await fs.unlink(keyPath);\n console.log(`[DevKeyPersistence] Deleted key at ${keyPath}`);\n } catch (error: unknown) {\n if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {\n console.warn(`[DevKeyPersistence] Failed to delete key at ${keyPath}: ${(error as Error).message}`);\n }\n }\n}\n"]}

package/src/auth/jwks/index.js DELETED Viewed

@@ -1,7 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const tslib_1 = require("tslib");
-tslib_1.__exportStar(require("./jwks.service"), exports);
-tslib_1.__exportStar(require("./jwks.types"), exports);
-tslib_1.__exportStar(require("./dev-key-persistence"), exports);
-//# sourceMappingURL=index.js.map

package/src/auth/jwks/index.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/auth/jwks/index.ts"],"names":[],"mappings":";;;AAAA,yDAA+B;AAC/B,uDAA6B;AAC7B,gEAAsC","sourcesContent":["export * from './jwks.service';\nexport * from './jwks.types';\nexport * from './dev-key-persistence';\n"]}

package/src/auth/jwks/jwks.service.js DELETED Viewed

@@ -1,303 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.JwksService = void 0;
-const tslib_1 = require("tslib");
-// auth/jwks/jwks.service.ts
-const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
-const jose_1 = require("jose");
-const jwks_utils_1 = require("./jwks.utils");
-const dev_key_persistence_1 = require("./dev-key-persistence");
-class JwksService {
-    opts;
-    // Orchestrator signing material
-    orchestratorKey;
-    // Provider JWKS cache (providerId -> jwks + fetchedAt)
-    providerJwks = new Map();
-    // Track if key has been initialized (for async loading)
-    keyInitialized = false;
-    // Promise guard to prevent concurrent key generation
-    keyInitPromise;
-    constructor(opts) {
-        this.opts = {
-            orchestratorAlg: opts?.orchestratorAlg ?? 'RS256',
-            rotateDays: opts?.rotateDays ?? 30,
-            providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1000, // 6h
-            networkTimeoutMs: opts?.networkTimeoutMs ?? 5000, // 5s
-            devKeyPersistence: opts?.devKeyPersistence,
-        };
-    }
-    // ===========================================================================
-    // Public JWKS (what /.well-known/jwks.json serves)
-    // ===========================================================================
-    /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */
-    async getPublicJwks() {
-        return this.getOrchestratorJwks();
-    }
-    // ===========================================================================
-    // Scope-aware verification API
-    // ===========================================================================
-    /** Verify a token issued by the gateway itself (orchestrated mode). */
-    async verifyGatewayToken(token, expectedIssuer) {
-        try {
-            // TODO: add support for local/remote proxy mode
-            //       current implementation for anonymous mode only
-            // const jwks = this.getPublicJwks();
-            // const JWKS = createLocalJWKSet(jwks);
-            // const {payload, protectedHeader} = await jwtVerify(token, JWKS, {
-            //   issuer: normalizeIssuer(expectedIssuer),
-            // });
-            // return {
-            //   ok: true,
-            //   issuer: payload?.iss as string | undefined,
-            //   sub: payload?.sub as string | undefined,
-            //   header: protectedHeader,
-            //   payload,
-            // };
-            const payload = (0, jwks_utils_1.decodeJwtPayloadSafe)(token);
-            if (!payload) {
-                return {
-                    ok: false,
-                    error: 'invalid bearer token',
-                };
-            }
-            return {
-                ok: true,
-                issuer: expectedIssuer,
-                sub: payload['sub'],
-                payload,
-                header: (0, jose_1.decodeProtectedHeader)(token),
-            };
-        }
-        catch (err) {
-            return { ok: false, error: err?.message ?? 'verification_failed' };
-        }
-    }
-    /**
-     * Verify a token against candidate transparent providers.
-     * Ensures JWKS are available (cached/TTL/AS discovery) per provider.
-     */
-    async verifyTransparentToken(token, candidates) {
-        if (!candidates?.length)
-            return { ok: false, error: 'no_providers' };
-        // Helpful only for error messages
-        let kid;
-        try {
-            const header = (0, jose_1.decodeProtectedHeader)(token);
-            kid = typeof header?.kid === 'string' ? header.kid : undefined;
-        }
-        catch {
-            /* empty */
-        }
-        for (const p of candidates) {
-            try {
-                const jwks = await this.getJwksForProvider(p);
-                if (!jwks?.keys?.length)
-                    continue;
-                const draftPayload = (0, jwks_utils_1.decodeJwtPayloadSafe)(token);
-                const JWKS = (0, jose_1.createLocalJWKSet)(jwks);
-                const { payload, protectedHeader } = await (0, jose_1.jwtVerify)(token, JWKS, {
-                    issuer: [(0, jwks_utils_1.normalizeIssuer)(p.issuerUrl)].concat((draftPayload?.['iss'] ? [draftPayload['iss']] : [])), // used because current cloud gateway have invalid issuer
-                });
-                return {
-                    ok: true,
-                    issuer: payload?.iss,
-                    sub: payload?.sub,
-                    providerId: p.id,
-                    header: protectedHeader,
-                    payload,
-                };
-            }
-            catch (e) {
-                console.log('failed to verify token for provider: ', p.id, e);
-                // try next provider
-            }
-        }
-        return { ok: false, error: `no_provider_verified${kid ? ` (kid=${kid})` : ''}` };
-    }
-    // ===========================================================================
-    // Provider JWKS (cache + preload + discovery)
-    // ===========================================================================
-    /** Directly set provider JWKS (e.g., inline keys from config). */
-    setProviderJwks(providerId, jwks) {
-        this.providerJwks.set(providerId, { jwks, fetchedAt: Date.now() });
-    }
-    /**
-     * Ensure JWKS for a provider:
-     *   1) inline jwks (if provided) → cache & return
-     *   2) cached & fresh (TTL)      → return
-     *   3) explicit jwksUri          → fetch, cache, return
-     *   4) discover jwks_uri via AS  → fetch AS metadata, then jwks_uri, cache, return
-     */
-    async getJwksForProvider(ref) {
-        // Inline keys win
-        if (ref.jwks?.keys?.length) {
-            this.setProviderJwks(ref.id, ref.jwks);
-            return ref.jwks;
-        }
-        // Cache hit and fresh?
-        const cached = this.providerJwks.get(ref.id);
-        if (cached && Date.now() - cached.fetchedAt < this.opts.providerJwksTtlMs) {
-            return cached.jwks;
-        }
-        // If we have a jwksUri, try it
-        if (ref.jwksUri) {
-            const fromUri = await this.tryFetchJwks(ref.id, ref.jwksUri);
-            if (fromUri?.keys?.length)
-                return fromUri;
-        }
-        // Discover via AS .well-known
-        const issuer = (0, jwks_utils_1.trimSlash)(ref.issuerUrl);
-        const meta = await this.tryFetchAsMeta(`${issuer}/.well-known/oauth-authorization-server`);
-        const uri = meta && typeof meta === 'object' && meta.jwks_uri ? String(meta.jwks_uri) : undefined;
-        if (uri) {
-            const fromMeta = await this.tryFetchJwks(ref.id, uri);
-            if (fromMeta?.keys?.length)
-                return fromMeta;
-        }
-        return cached?.jwks; // return stale if we had anything, else undefined
-    }
-    // ===========================================================================
-    // Orchestrator keys (generation/rotation)
-    // ===========================================================================
-    /** Return the orchestrator public JWKS (generates/rotates as needed). */
-    async getOrchestratorJwks() {
-        await this.ensureOrchestratorKey();
-        return this.orchestratorKey.publicJwk;
-    }
-    /** Return private signing key + kid for issuing orchestrator tokens. */
-    async getOrchestratorSigningKey() {
-        await this.ensureOrchestratorKey();
-        return { kid: this.orchestratorKey.kid, key: this.orchestratorKey.privateKey, alg: this.opts.orchestratorAlg };
-    }
-    // ===========================================================================
-    // Internals (fetch, rotation, helpers)
-    // ===========================================================================
-    async tryFetchJwks(providerId, uri) {
-        try {
-            const jwks = await this.fetchJson(uri);
-            if (jwks?.keys?.length) {
-                this.setProviderJwks(providerId, jwks);
-                return jwks;
-            }
-        }
-        catch {
-            /* empty */
-        }
-        return undefined;
-    }
-    async tryFetchAsMeta(url) {
-        try {
-            return await this.fetchJson(url);
-        }
-        catch {
-            return undefined;
-        }
-    }
-    async fetchJson(url) {
-        const ctl = typeof AbortController !== 'undefined' ? new AbortController() : undefined;
-        const timer = setTimeout(() => ctl?.abort(), this.opts.networkTimeoutMs);
-        try {
-            const res = await fetch(url, {
-                method: 'GET',
-                headers: { accept: 'application/json' },
-                signal: ctl?.signal,
-            });
-            if (!res.ok)
-                throw new Error(`HTTP ${res.status}`);
-            return (await res.json());
-        }
-        finally {
-            clearTimeout(timer);
-        }
-    }
-    async ensureOrchestratorKey() {
-        const now = Date.now();
-        const maxAge = this.opts.rotateDays * 24 * 60 * 60 * 1000;
-        // If key exists and not expired, use it
-        if (this.orchestratorKey && now - this.orchestratorKey.createdAt <= maxAge) {
-            return;
-        }
-        // Use promise guard to prevent concurrent key generation (race condition fix)
-        if (this.keyInitPromise) {
-            await this.keyInitPromise;
-            return;
-        }
-        // Create promise guard and initialize key
-        this.keyInitPromise = this.initializeOrchestratorKey(now, maxAge);
-        try {
-            await this.keyInitPromise;
-        }
-        finally {
-            // Clear promise guard after initialization to allow future rotation
-            this.keyInitPromise = undefined;
-        }
-    }
-    async initializeOrchestratorKey(now, maxAge) {
-        // Try to load persisted key (in development mode)
-        if ((0, dev_key_persistence_1.isDevKeyPersistenceEnabled)(this.opts.devKeyPersistence) && !this.keyInitialized) {
-            this.keyInitialized = true;
-            const loaded = await (0, dev_key_persistence_1.loadDevKey)(this.opts.devKeyPersistence);
-            if (loaded && now - loaded.createdAt <= maxAge) {
-                // Validate algorithm matches config
-                if (loaded.alg !== this.opts.orchestratorAlg) {
-                    console.warn(`[JwksService] Persisted key algorithm (${loaded.alg}) doesn't match config (${this.opts.orchestratorAlg}), generating new key`);
-                }
-                else {
-                    // Reconstruct KeyObject from JWK
-                    try {
-                        // Cast to crypto.JsonWebKey to satisfy TypeScript
-                        const privateKey = node_crypto_1.default.createPrivateKey({
-                            key: loaded.privateKey,
-                            format: 'jwk',
-                        });
-                        this.orchestratorKey = {
-                            kid: loaded.kid,
-                            privateKey,
-                            publicJwk: loaded.publicJwk,
-                            createdAt: loaded.createdAt,
-                        };
-                        return;
-                    }
-                    catch (error) {
-                        console.warn(`[JwksService] Failed to load persisted key: ${error.message}, generating new key`);
-                    }
-                }
-            }
-        }
-        // Generate new key
-        this.orchestratorKey = this.generateKey(this.opts.orchestratorAlg);
-        this.keyInitialized = true;
-        // Save in development mode
-        if ((0, dev_key_persistence_1.isDevKeyPersistenceEnabled)(this.opts.devKeyPersistence)) {
-            const keyData = {
-                kid: this.orchestratorKey.kid,
-                privateKey: this.orchestratorKey.privateKey.export({ format: 'jwk' }),
-                publicJwk: this.orchestratorKey.publicJwk,
-                createdAt: this.orchestratorKey.createdAt,
-                alg: this.opts.orchestratorAlg,
-            };
-            const saved = await (0, dev_key_persistence_1.saveDevKey)(keyData, this.opts.devKeyPersistence);
-            if (!saved) {
-                console.warn('[JwksService] Failed to persist dev key - key will be regenerated on next restart');
-            }
-        }
-    }
-    generateKey(alg) {
-        if (alg === 'RS256') {
-            const { privateKey, publicKey } = node_crypto_1.default.generateKeyPairSync('rsa', { modulusLength: 2048 });
-            const kid = node_crypto_1.default.randomBytes(8).toString('hex');
-            const publicJwk = publicKey.export({ format: 'jwk' });
-            Object.assign(publicJwk, { kid, alg: 'RS256', use: 'sig', kty: 'RSA' });
-            return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };
-        }
-        else {
-            const { privateKey, publicKey } = node_crypto_1.default.generateKeyPairSync('ec', { namedCurve: 'P-256' });
-            const kid = node_crypto_1.default.randomBytes(8).toString('hex');
-            const publicJwk = publicKey.export({ format: 'jwk' });
-            Object.assign(publicJwk, { kid, alg: 'ES256', use: 'sig', kty: 'EC' });
-            return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };
-        }
-    }
-}
-exports.JwksService = JwksService;
-//# sourceMappingURL=jwks.service.js.map

package/src/auth/jwks/jwks.service.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"jwks.service.js","sourceRoot":"","sources":["../../../../src/auth/jwks/jwks.service.ts"],"names":[],"mappings":";;;;AAAA,4BAA4B;AAC5B,sEAAiC;AACjC,+BAA0F;AAE1F,6CAAgF;AAChF,+DAAuG;AAEvG,MAAa,WAAW;IACL,IAAI,CAEnB;IAEF,gCAAgC;IACxB,eAAe,CAKrB;IAEF,uDAAuD;IAC/C,YAAY,GAAG,IAAI,GAAG,EAAsD,CAAC;IAErF,wDAAwD;IAChD,cAAc,GAAG,KAAK,CAAC;IAC/B,qDAAqD;IAC7C,cAAc,CAA4B;IAElD,YAAY,IAAyB;QACnC,IAAI,CAAC,IAAI,GAAG;YACV,eAAe,EAAE,IAAI,EAAE,eAAe,IAAI,OAAO;YACjD,UAAU,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE;YAClC,iBAAiB,EAAE,IAAI,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,KAAK;YACvE,gBAAgB,EAAE,IAAI,EAAE,gBAAgB,IAAI,IAAI,EAAE,KAAK;YACvD,iBAAiB,EAAE,IAAI,EAAE,iBAAiB;SAC3C,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,mDAAmD;IACnD,8EAA8E;IAE9E,mFAAmF;IACnF,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,mBAAmB,EAAE,CAAC;IACpC,CAAC;IAED,8EAA8E;IAC9E,+BAA+B;IAC/B,8EAA8E;IAE9E,uEAAuE;IACvE,KAAK,CAAC,kBAAkB,CAAC,KAAa,EAAE,cAAsB;QAC5D,IAAI,CAAC;YACH,gDAAgD;YAChD,uDAAuD;YAEvD,qCAAqC;YACrC,wCAAwC;YACxC,oEAAoE;YACpE,6CAA6C;YAC7C,MAAM;YACN,WAAW;YACX,cAAc;YACd,gDAAgD;YAChD,6CAA6C;YAC7C,6BAA6B;YAC7B,aAAa;YACb,KAAK;YAEL,MAAM,OAAO,GAAG,IAAA,iCAAoB,EAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,sBAAsB;iBAC9B,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,MAAM,EAAE,cAAc;gBACtB,GAAG,EAAE,OAAO,CAAC,KAAK,CAAW;gBAC7B,OAAO;gBACP,MAAM,EAAE,IAAA,4BAAqB,EAAC,KAAK,CAAC;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACrE,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,sBAAsB,CAAC,KAAa,EAAE,UAA+B;QACzE,IAAI,CAAC,UAAU,EAAE,MAAM;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QAErE,kCAAkC;QAClC,IAAI,GAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,4BAAqB,EAAC,KAAK,CAAC,CAAC;YAE5C,GAAG,GAAG,OAAO,MAAM,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;gBAC9C,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM;oBAAE,SAAS;gBAClC,MAAM,YAAY,GAAG,IAAA,iCAAoB,EAAC,KAAK,CAAC,CAAC;gBACjD,MAAM,IAAI,GAAG,IAAA,wBAAiB,EAAC,IAAI,CAAC,CAAC;gBACrC,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,IAAI,EAAE;oBAChE,MAAM,EAAE,CAAC,IAAA,4BAAe,EAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAC3C,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAa,CACjE,EAAE,yDAAyD;iBAC7D,CAAC,CAAC;gBAEH,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,OAAO,EAAE,GAAyB;oBAC1C,GAAG,EAAE,OAAO,EAAE,GAAyB;oBACvC,UAAU,EAAE,CAAC,CAAC,EAAE;oBAChB,MAAM,EAAE,eAAe;oBACvB,OAAO;iBACR,CAAC;YACJ,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC9D,oBAAoB;YACtB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC;IACnF,CAAC;IAED,8EAA8E;IAC9E,8CAA8C;IAC9C,8EAA8E;IAE9E,kEAAkE;IAClE,eAAe,CAAC,UAAkB,EAAE,IAAmB;QACrD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,kBAAkB,CAAC,GAAsB;QAC7C,kBAAkB;QAClB,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YACvC,OAAO,GAAG,CAAC,IAAI,CAAC;QAClB,CAAC;QAED,uBAAuB;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC1E,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QAED,+BAA+B;QAC/B,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAC7D,IAAI,OAAO,EAAE,IAAI,EAAE,MAAM;gBAAE,OAAO,OAAO,CAAC;QAC5C,CAAC;QAED,8BAA8B;QAC9B,MAAM,MAAM,GAAG,IAAA,sBAAS,EAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,MAAM,yCAAyC,CAAC,CAAC;QAC3F,MAAM,GAAG,GAAG,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAClG,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;YACtD,IAAI,QAAQ,EAAE,IAAI,EAAE,MAAM;gBAAE,OAAO,QAAQ,CAAC;QAC9C,CAAC;QAED,OAAO,MAAM,EAAE,IAAI,CAAC,CAAC,kDAAkD;IACzE,CAAC;IAED,8EAA8E;IAC9E,0CAA0C;IAC1C,8EAA8E;IAE9E,yEAAyE;IACzE,KAAK,CAAC,mBAAmB;QACvB,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC;IACxC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,yBAAyB;QAC7B,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACnC,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;IACjH,CAAC;IAED,8EAA8E;IAC9E,uCAAuC;IACvC,8EAA8E;IAEtE,KAAK,CAAC,YAAY,CAAC,UAAkB,EAAE,GAAW;QACxD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAgB,GAAG,CAAC,CAAC;YACtD,IAAI,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;gBACvB,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,GAAW;QACtC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAU,GAAW;QAC1C,MAAM,GAAG,GAAG,OAAO,eAAe,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACvF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACzE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC3B,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;gBACvC,MAAM,EAAE,GAAG,EAAE,MAAM;aACpB,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;QACjC,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,qBAAqB;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAE1D,wCAAwC;QACxC,IAAI,IAAI,CAAC,eAAe,IAAI,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,IAAI,MAAM,EAAE,CAAC;YAC3E,OAAO;QACT,CAAC;QAED,8EAA8E;QAC9E,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,cAAc,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,0CAA0C;QAC1C,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,yBAAyB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAClE,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,cAAc,CAAC;QAC5B,CAAC;gBAAS,CAAC;YACT,oEAAoE;YACpE,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;QAClC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,yBAAyB,CAAC,GAAW,EAAE,MAAc;QACjE,kDAAkD;QAClD,IAAI,IAAA,gDAA0B,EAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACpF,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,IAAA,gCAAU,EAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAE7D,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,EAAE,CAAC;gBAC/C,oCAAoC;gBACpC,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;oBAC7C,OAAO,CAAC,IAAI,CACV,0CAA0C,MAAM,CAAC,GAAG,2BAA2B,IAAI,CAAC,IAAI,CAAC,eAAe,uBAAuB,CAChI,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,iCAAiC;oBACjC,IAAI,CAAC;wBACH,kDAAkD;wBAClD,MAAM,UAAU,GAAG,qBAAM,CAAC,gBAAgB,CAAC;4BACzC,GAAG,EAAE,MAAM,CAAC,UAA+B;4BAC3C,MAAM,EAAE,KAAK;yBACd,CAAC,CAAC;wBACH,IAAI,CAAC,eAAe,GAAG;4BACrB,GAAG,EAAE,MAAM,CAAC,GAAG;4BACf,UAAU;4BACV,SAAS,EAAE,MAAM,CAAC,SAAS;4BAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;yBAC5B,CAAC;wBACF,OAAO;oBACT,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,OAAO,CAAC,IAAI,CAAC,+CAAgD,KAAe,CAAC,OAAO,sBAAsB,CAAC,CAAC;oBAC9G,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACnE,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAE3B,2BAA2B;QAC3B,IAAI,IAAA,gDAA0B,EAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC5D,MAAM,OAAO,GAAe;gBAC1B,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG;gBAC7B,UAAU,EAAE,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAe;gBACnF,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,SAAS;gBACzC,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,SAAS;gBACzC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,eAAe;aAC/B,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,IAAA,gCAAU,EAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YACrE,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,IAAI,CAAC,mFAAmF,CAAC,CAAC;YACpG,CAAC;QACH,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,GAAsB;QACxC,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACpB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,qBAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7F,MAAM,GAAG,GAAG,qBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;YACxE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACtF,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,qBAAM,CAAC,mBAAmB,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5F,MAAM,GAAG,GAAG,qBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;YACvE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACtF,CAAC;IACH,CAAC;CACF;AAtUD,kCAsUC","sourcesContent":["// auth/jwks/jwks.service.ts\nimport crypto from 'node:crypto';\nimport { jwtVerify, createLocalJWKSet, decodeProtectedHeader, JSONWebKeySet } from 'jose';\nimport { JwksServiceOptions, ProviderVerifyRef, VerifyResult } from './jwks.types';\nimport { normalizeIssuer, trimSlash, decodeJwtPayloadSafe } from './jwks.utils';\nimport { isDevKeyPersistenceEnabled, loadDevKey, saveDevKey, DevKeyData } from './dev-key-persistence';\n\nexport class JwksService {\n private readonly opts: Required<Omit<JwksServiceOptions, 'devKeyPersistence'>> & {\n devKeyPersistence?: JwksServiceOptions['devKeyPersistence'];\n };\n\n // Orchestrator signing material\n private orchestratorKey!: {\n kid: string;\n privateKey: crypto.KeyObject;\n publicJwk: JSONWebKeySet;\n createdAt: number;\n };\n\n // Provider JWKS cache (providerId -> jwks + fetchedAt)\n private providerJwks = new Map<string, { jwks: JSONWebKeySet; fetchedAt: number }>();\n\n // Track if key has been initialized (for async loading)\n private keyInitialized = false;\n // Promise guard to prevent concurrent key generation\n private keyInitPromise: Promise<void> | undefined;\n\n constructor(opts?: JwksServiceOptions) {\n this.opts = {\n orchestratorAlg: opts?.orchestratorAlg ?? 'RS256',\n rotateDays: opts?.rotateDays ?? 30,\n providerJwksTtlMs: opts?.providerJwksTtlMs ?? 6 * 60 * 60 * 1000, // 6h\n networkTimeoutMs: opts?.networkTimeoutMs ?? 5000, // 5s\n devKeyPersistence: opts?.devKeyPersistence,\n };\n }\n\n // ===========================================================================\n // Public JWKS (what /.well-known/jwks.json serves)\n // ===========================================================================\n\n /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */\n async getPublicJwks(): Promise<JSONWebKeySet> {\n return this.getOrchestratorJwks();\n }\n\n // ===========================================================================\n // Scope-aware verification API\n // ===========================================================================\n\n /** Verify a token issued by the gateway itself (orchestrated mode). */\n async verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult> {\n try {\n // TODO: add support for local/remote proxy mode\n // current implementation for anonymous mode only\n\n // const jwks = this.getPublicJwks();\n // const JWKS = createLocalJWKSet(jwks);\n // const {payload, protectedHeader} = await jwtVerify(token, JWKS, {\n // issuer: normalizeIssuer(expectedIssuer),\n // });\n // return {\n // ok: true,\n // issuer: payload?.iss as string | undefined,\n // sub: payload?.sub as string | undefined,\n // header: protectedHeader,\n // payload,\n // };\n\n const payload = decodeJwtPayloadSafe(token);\n if (!payload) {\n return {\n ok: false,\n error: 'invalid bearer token',\n };\n }\n return {\n ok: true,\n issuer: expectedIssuer,\n sub: payload['sub'] as string,\n payload,\n header: decodeProtectedHeader(token),\n };\n } catch (err: any) {\n return { ok: false, error: err?.message ?? 'verification_failed' };\n }\n }\n\n /**\n * Verify a token against candidate transparent providers.\n * Ensures JWKS are available (cached/TTL/AS discovery) per provider.\n */\n async verifyTransparentToken(token: string, candidates: ProviderVerifyRef[]): Promise<VerifyResult> {\n if (!candidates?.length) return { ok: false, error: 'no_providers' };\n\n // Helpful only for error messages\n let kid: string | undefined;\n try {\n const header = decodeProtectedHeader(token);\n\n kid = typeof header?.kid === 'string' ? header.kid : undefined;\n } catch {\n /* empty */\n }\n\n for (const p of candidates) {\n try {\n const jwks = await this.getJwksForProvider(p);\n if (!jwks?.keys?.length) continue;\n const draftPayload = decodeJwtPayloadSafe(token);\n const JWKS = createLocalJWKSet(jwks);\n const { payload, protectedHeader } = await jwtVerify(token, JWKS, {\n issuer: [normalizeIssuer(p.issuerUrl)].concat(\n (draftPayload?.['iss'] ? [draftPayload['iss']] : []) as string[],\n ), // used because current cloud gateway have invalid issuer\n });\n\n return {\n ok: true,\n issuer: payload?.iss as string | undefined,\n sub: payload?.sub as string | undefined,\n providerId: p.id,\n header: protectedHeader,\n payload,\n };\n } catch (e) {\n console.log('failed to verify token for provider: ', p.id, e);\n // try next provider\n }\n }\n\n return { ok: false, error: `no_provider_verified${kid ? ` (kid=${kid})` : ''}` };\n }\n\n // ===========================================================================\n // Provider JWKS (cache + preload + discovery)\n // ===========================================================================\n\n /** Directly set provider JWKS (e.g., inline keys from config). */\n setProviderJwks(providerId: string, jwks: JSONWebKeySet) {\n this.providerJwks.set(providerId, { jwks, fetchedAt: Date.now() });\n }\n\n /**\n * Ensure JWKS for a provider:\n * 1) inline jwks (if provided) → cache & return\n * 2) cached & fresh (TTL) → return\n * 3) explicit jwksUri → fetch, cache, return\n * 4) discover jwks_uri via AS → fetch AS metadata, then jwks_uri, cache, return\n */\n async getJwksForProvider(ref: ProviderVerifyRef): Promise<JSONWebKeySet | undefined> {\n // Inline keys win\n if (ref.jwks?.keys?.length) {\n this.setProviderJwks(ref.id, ref.jwks);\n return ref.jwks;\n }\n\n // Cache hit and fresh?\n const cached = this.providerJwks.get(ref.id);\n if (cached && Date.now() - cached.fetchedAt < this.opts.providerJwksTtlMs) {\n return cached.jwks;\n }\n\n // If we have a jwksUri, try it\n if (ref.jwksUri) {\n const fromUri = await this.tryFetchJwks(ref.id, ref.jwksUri);\n if (fromUri?.keys?.length) return fromUri;\n }\n\n // Discover via AS .well-known\n const issuer = trimSlash(ref.issuerUrl);\n const meta = await this.tryFetchAsMeta(`${issuer}/.well-known/oauth-authorization-server`);\n const uri = meta && typeof meta === 'object' && meta.jwks_uri ? String(meta.jwks_uri) : undefined;\n if (uri) {\n const fromMeta = await this.tryFetchJwks(ref.id, uri);\n if (fromMeta?.keys?.length) return fromMeta;\n }\n\n return cached?.jwks; // return stale if we had anything, else undefined\n }\n\n // ===========================================================================\n // Orchestrator keys (generation/rotation)\n // ===========================================================================\n\n /** Return the orchestrator public JWKS (generates/rotates as needed). */\n async getOrchestratorJwks(): Promise<JSONWebKeySet> {\n await this.ensureOrchestratorKey();\n return this.orchestratorKey.publicJwk;\n }\n\n /** Return private signing key + kid for issuing orchestrator tokens. */\n async getOrchestratorSigningKey(): Promise<{ kid: string; key: crypto.KeyObject; alg: string }> {\n await this.ensureOrchestratorKey();\n return { kid: this.orchestratorKey.kid, key: this.orchestratorKey.privateKey, alg: this.opts.orchestratorAlg };\n }\n\n // ===========================================================================\n // Internals (fetch, rotation, helpers)\n // ===========================================================================\n\n private async tryFetchJwks(providerId: string, uri: string): Promise<JSONWebKeySet | undefined> {\n try {\n const jwks = await this.fetchJson<JSONWebKeySet>(uri);\n if (jwks?.keys?.length) {\n this.setProviderJwks(providerId, jwks);\n return jwks;\n }\n } catch {\n /* empty */\n }\n return undefined;\n }\n\n private async tryFetchAsMeta(url: string): Promise<any | undefined> {\n try {\n return await this.fetchJson(url);\n } catch {\n return undefined;\n }\n }\n\n private async fetchJson<T = any>(url: string): Promise<T> {\n const ctl = typeof AbortController !== 'undefined' ? new AbortController() : undefined;\n const timer = setTimeout(() => ctl?.abort(), this.opts.networkTimeoutMs);\n try {\n const res = await fetch(url, {\n method: 'GET',\n headers: { accept: 'application/json' },\n signal: ctl?.signal,\n });\n if (!res.ok) throw new Error(`HTTP ${res.status}`);\n return (await res.json()) as T;\n } finally {\n clearTimeout(timer);\n }\n }\n\n private async ensureOrchestratorKey() {\n const now = Date.now();\n const maxAge = this.opts.rotateDays * 24 * 60 * 60 * 1000;\n\n // If key exists and not expired, use it\n if (this.orchestratorKey && now - this.orchestratorKey.createdAt <= maxAge) {\n return;\n }\n\n // Use promise guard to prevent concurrent key generation (race condition fix)\n if (this.keyInitPromise) {\n await this.keyInitPromise;\n return;\n }\n\n // Create promise guard and initialize key\n this.keyInitPromise = this.initializeOrchestratorKey(now, maxAge);\n try {\n await this.keyInitPromise;\n } finally {\n // Clear promise guard after initialization to allow future rotation\n this.keyInitPromise = undefined;\n }\n }\n\n private async initializeOrchestratorKey(now: number, maxAge: number) {\n // Try to load persisted key (in development mode)\n if (isDevKeyPersistenceEnabled(this.opts.devKeyPersistence) && !this.keyInitialized) {\n this.keyInitialized = true;\n const loaded = await loadDevKey(this.opts.devKeyPersistence);\n\n if (loaded && now - loaded.createdAt <= maxAge) {\n // Validate algorithm matches config\n if (loaded.alg !== this.opts.orchestratorAlg) {\n console.warn(\n `[JwksService] Persisted key algorithm (${loaded.alg}) doesn't match config (${this.opts.orchestratorAlg}), generating new key`,\n );\n } else {\n // Reconstruct KeyObject from JWK\n try {\n // Cast to crypto.JsonWebKey to satisfy TypeScript\n const privateKey = crypto.createPrivateKey({\n key: loaded.privateKey as crypto.JsonWebKey,\n format: 'jwk',\n });\n this.orchestratorKey = {\n kid: loaded.kid,\n privateKey,\n publicJwk: loaded.publicJwk,\n createdAt: loaded.createdAt,\n };\n return;\n } catch (error) {\n console.warn(`[JwksService] Failed to load persisted key: ${(error as Error).message}, generating new key`);\n }\n }\n }\n }\n\n // Generate new key\n this.orchestratorKey = this.generateKey(this.opts.orchestratorAlg);\n this.keyInitialized = true;\n\n // Save in development mode\n if (isDevKeyPersistenceEnabled(this.opts.devKeyPersistence)) {\n const keyData: DevKeyData = {\n kid: this.orchestratorKey.kid,\n privateKey: this.orchestratorKey.privateKey.export({ format: 'jwk' }) as JsonWebKey,\n publicJwk: this.orchestratorKey.publicJwk,\n createdAt: this.orchestratorKey.createdAt,\n alg: this.opts.orchestratorAlg,\n };\n const saved = await saveDevKey(keyData, this.opts.devKeyPersistence);\n if (!saved) {\n console.warn('[JwksService] Failed to persist dev key - key will be regenerated on next restart');\n }\n }\n }\n\n private generateKey(alg: 'RS256' | 'ES256') {\n if (alg === 'RS256') {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });\n const kid = crypto.randomBytes(8).toString('hex');\n const publicJwk = publicKey.export({ format: 'jwk' });\n Object.assign(publicJwk, { kid, alg: 'RS256', use: 'sig', kty: 'RSA' });\n return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };\n } else {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('ec', { namedCurve: 'P-256' });\n const kid = crypto.randomBytes(8).toString('hex');\n const publicJwk = publicKey.export({ format: 'jwk' });\n Object.assign(publicJwk, { kid, alg: 'ES256', use: 'sig', kty: 'EC' });\n return { kid, privateKey, publicJwk: { keys: [publicJwk] }, createdAt: Date.now() };\n }\n }\n}\n"]}

package/src/auth/jwks/jwks.types.js DELETED Viewed

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=jwks.types.js.map

package/src/auth/jwks/jwks.types.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"jwks.types.js","sourceRoot":"","sources":["../../../../src/auth/jwks/jwks.types.ts"],"names":[],"mappings":"","sourcesContent":["import { JSONWebKeySet } from 'jose';\nimport { DevKeyPersistenceOptions } from './dev-key-persistence';\n\nexport type JwksServiceOptions = {\n orchestratorAlg?: 'RS256' | 'ES256';\n rotateDays?: number;\n /** TTL (ms) for cached provider JWKS before attempting refresh. Default: 6h */\n providerJwksTtlMs?: number;\n /** Timeout (ms) for network metadata/JWKS fetches. Default: 5s */\n networkTimeoutMs?: number;\n /**\n * Options for dev key persistence (development mode only by default).\n * When enabled, keys are saved to a file and reloaded on server restart.\n */\n devKeyPersistence?: DevKeyPersistenceOptions;\n};\n\nexport type { DevKeyPersistenceOptions };\n\n/** Rich descriptor used by verification & fetching */\nexport type ProviderVerifyRef = {\n id: string;\n issuerUrl: string; // upstream issuer (e.g., https://idp.example.com)\n jwksUri?: string; // optional explicit JWKS uri\n jwks?: JSONWebKeySet; // optional inline keys (prioritized)\n};\n\nexport type VerifyResult = {\n ok: boolean;\n issuer?: string;\n sub?: string;\n providerId?: string;\n header?: any;\n payload?: any;\n error?: string;\n};\n"]}

package/src/auth/jwks/jwks.utils.js DELETED Viewed

@@ -1,32 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.trimSlash = trimSlash;
-exports.normalizeIssuer = normalizeIssuer;
-exports.decodeJwtPayloadSafe = decodeJwtPayloadSafe;
-function trimSlash(s) {
-    return (s ?? '').replace(/\/+$/, '');
-}
-function normalizeIssuer(u) {
-    return trimSlash(String(u ?? ''));
-}
-/** Safe, no-verify JWT payload decode (returns undefined on error). */
-function decodeJwtPayloadSafe(token) {
-    if (!token)
-        return undefined;
-    const parts = token.split('.');
-    if (parts.length < 2)
-        return undefined;
-    try {
-        const b64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
-        const json = typeof Buffer !== 'undefined'
-            ? Buffer.from(b64, 'base64').toString('utf8')
-            : // browser fallback
-                atob(b64);
-        const obj = JSON.parse(json);
-        return obj && typeof obj === 'object' ? obj : undefined;
-    }
-    catch {
-        return undefined;
-    }
-}
-//# sourceMappingURL=jwks.utils.js.map