@hybrd/xmtp 1.3.0 → 1.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +10 -10
- package/.turbo/turbo-typecheck.log +1 -1
- package/dist/index.cjs +10 -10
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +10 -10
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/src/lib/jwt.ts +15 -15
package/dist/index.js
CHANGED
|
@@ -3271,23 +3271,23 @@ function getValidatedPayload(c) {
|
|
|
3271
3271
|
}
|
|
3272
3272
|
return validateXMTPToolsToken(token);
|
|
3273
3273
|
}
|
|
3274
|
-
|
|
3275
|
-
const secret = process.env.
|
|
3274
|
+
function getJwtSecret() {
|
|
3275
|
+
const secret = process.env.XMTP_ENCRYPTION_KEY;
|
|
3276
3276
|
const nodeEnv = process.env.NODE_ENV || "development";
|
|
3277
3277
|
if (nodeEnv === "production" && !secret) {
|
|
3278
3278
|
throw new Error(
|
|
3279
|
-
"
|
|
3279
|
+
"XMTP_ENCRYPTION_KEY environment variable is required in production. Generate a secure random secret for JWT token signing."
|
|
3280
3280
|
);
|
|
3281
3281
|
}
|
|
3282
3282
|
if (!secret) {
|
|
3283
3283
|
console.warn(
|
|
3284
|
-
"\u26A0\uFE0F [SECURITY] Using fallback JWT secret for development. Set
|
|
3284
|
+
"\u26A0\uFE0F [SECURITY] Using fallback JWT secret for development. Set XMTP_ENCRYPTION_KEY environment variable for production."
|
|
3285
3285
|
);
|
|
3286
3286
|
return "fallback-secret-for-dev-only";
|
|
3287
3287
|
}
|
|
3288
3288
|
return secret;
|
|
3289
|
-
}
|
|
3290
|
-
|
|
3289
|
+
}
|
|
3290
|
+
function getApiKey() {
|
|
3291
3291
|
const apiKey = process.env.XMTP_API_KEY;
|
|
3292
3292
|
const nodeEnv = process.env.NODE_ENV || "development";
|
|
3293
3293
|
if (nodeEnv === "production" && !apiKey) {
|
|
@@ -3302,7 +3302,7 @@ var API_KEY = (() => {
|
|
|
3302
3302
|
return "fallback-api-key-for-dev-only";
|
|
3303
3303
|
}
|
|
3304
3304
|
return apiKey;
|
|
3305
|
-
}
|
|
3305
|
+
}
|
|
3306
3306
|
var JWT_EXPIRY = 5 * 60;
|
|
3307
3307
|
function generateXMTPToolsToken(payload) {
|
|
3308
3308
|
const now = Math.floor(Date.now() / 1e3);
|
|
@@ -3311,12 +3311,12 @@ function generateXMTPToolsToken(payload) {
|
|
|
3311
3311
|
issued: now,
|
|
3312
3312
|
expires: now + JWT_EXPIRY
|
|
3313
3313
|
};
|
|
3314
|
-
return jwt.sign(fullPayload,
|
|
3314
|
+
return jwt.sign(fullPayload, getJwtSecret(), {
|
|
3315
3315
|
expiresIn: JWT_EXPIRY
|
|
3316
3316
|
});
|
|
3317
3317
|
}
|
|
3318
3318
|
function validateXMTPToolsToken(token) {
|
|
3319
|
-
if (token ===
|
|
3319
|
+
if (token === getApiKey()) {
|
|
3320
3320
|
console.log("\u{1F511} [Auth] Using API key authentication");
|
|
3321
3321
|
const now = Math.floor(Date.now() / 1e3);
|
|
3322
3322
|
return {
|
|
@@ -3330,7 +3330,7 @@ function validateXMTPToolsToken(token) {
|
|
|
3330
3330
|
};
|
|
3331
3331
|
}
|
|
3332
3332
|
try {
|
|
3333
|
-
const decoded = jwt.verify(token,
|
|
3333
|
+
const decoded = jwt.verify(token, getJwtSecret());
|
|
3334
3334
|
console.log("\u{1F511} [Auth] Using JWT token authentication");
|
|
3335
3335
|
const now = Math.floor(Date.now() / 1e3);
|
|
3336
3336
|
if (decoded.expires < now) {
|